Other information and services of the government: www.belgium.be Centre for Cybersecurity Belgium
search

Warning: CRITICAL CVE-2026-32613 & CVE-2026-32604 in Spinnaker, Patch Immediately!

Image
Decorative image
Published : 22/04/2026
  • Last Update: 22/04/2026

    * Affected products:
         → Spinnaker

    * Type: Remote Code Execution (RCE)

    * CVE/CVSS:

         → CVE-2026-32613: CVSS 10.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
         → CVE-2026-32604: CVSS 10.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Sources

GHSA - https://github.com/spinnaker/spinnaker/security/advisories/GHSA-x3j7-7pgj-h87r
GHSA - https://github.com/spinnaker/spinnaker/security/advisories/GHSA-69rw-45wj-g4v6

Risks

Multiple critical vulnerabilities have been identified in Spinnaker, an open-source multi-cloud continuous delivery platform. These vulnerabilities may allow an authenticated attacker to execute arbitrary code or access internal resources by abusing insufficient input validation mechanisms.

Description

CVE-2026-32613 - RCE via expression parsing
A second critical vulnerability affects expression parsing, where insufficient validation allows execution of malicious expressions. This can lead to arbitrary code execution when untrusted input is processed within pipeline expressions.

CVE-2026-32604 - RCE when using gitrepo artifact types
A critical vulnerability exists in the handling of gitrepo artifact types due to improper sanitisation of user-controlled input such as branch names and file paths. An attacker with access to pipeline configuration may exploit this flaw to execute arbitrary code on the affected system.

Recommended Actions

Patch 
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect 
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

Feedly