CVE-2026-25534

Name of the Vulnerable Software and Affected Versions Spinnaker versions prior to 2025.4.1 Spinnaker versions prior to 2025.3.1 Spinnaker versions prior to 2025.2.4 Spinnaker version 2026.0.0

Description Spinnaker updated the URL validation logic for user input to sanitize URLs for clouddriver. However, Java URL objects do not correctly handle underscores during parsing, leading to a bypass of a previous issue. This impacts both clouddriver and Orca fromUrl expression handling. The issue stems from a flaw in how Java URL objects process underscores within URLs, effectively circumventing the intended URL validation.

Recommendations Versions prior to 2025.4.1 should be updated to version 2025.4.1 or later. Versions prior to 2025.3.1 should be updated to version 2025.3.1 or later. Versions prior to 2025.2.4 should be updated to version 2025.2.4 or later. Version 2026.0.0 contains a fix for this vulnerability.