Spinnaker · Spinnaker · CVE-2026-25534
**Name of the Vulnerable Software and Affected Versions**
Spinnaker versions prior to 2025.4.1
Spinnaker versions prior to 2025.3.1
Spinnaker versions prior to 2025.2.4
Spinnaker version 2026.0.0
**Description**
Spinnaker updated the URL validation logic for user input to sanitize URLs for clouddriver. However, Java URL objects do not correctly handle underscores during parsing, leading to a bypass of a previous issue. This impacts both clouddriver and Orca fromUrl expression handling. The issue stems from a flaw in how Java URL objects process underscores within URLs, effectively circumventing the intended URL validation.
**Recommendations**
Versions prior to 2025.4.1 should be updated to version 2025.4.1 or later.
Versions prior to 2025.3.1 should be updated to version 2025.3.1 or later.
Versions prior to 2025.2.4 should be updated to version 2025.2.4 or later.
Version 2026.0.0 contains a fix for this vulnerability.