PT-2026-33843 · Spinnaker · Spinnaker
Published
2026-04-20
·
Updated
2026-05-06
·
CVE-2026-32613
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Spinnaker versions prior to 2026.1.0
Spinnaker versions prior to 2026.0.1
Spinnaker versions prior to 2025.4.2
Spinnaker versions prior to 2025.3.2
Description
Echo uses SPeL (Spring Expression Language), a powerful expression language for the Spring Framework, to process information regarding expected artifacts. The service failed to restrict the context to trusted classes, granting full JVM (Java Virtual Machine) access. This allows a user to utilize arbitrary Java classes to gain deep system access, enabling the invocation of commands and unauthorized access to files.
Recommendations
Update to version 2026.1.0
Update to version 2026.0.1
Update to version 2025.4.2
Update to version 2025.3.2
As a temporary workaround, disable echo entirely.
Fix
RCE
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Spinnaker