PT-2026-51444 · Maven · Io.Spinnaker.Orca:Orca-Core+1

Published

2026-06-22

·

Updated

2026-06-22

·

CVE-2026-44795

CVSS v3.1

8.5

High

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

Impact

There's an unsafe YAML processing vulnerability that bypasses safe deserialization. This impacts users when when performing:
  • CloudFormation deployments
  • CloudFoundry Baking
The usage of a non-safe constructor use allows arbitrary loading of Java classes leading to RCE.

Patches

2025.3.3, 2026.0.3 and 2025.4.4.

Workarounds

Disable the CloudFormation system and cloudfoundry baking operations.

Resources

Join Spinnaker on Slack for more information!

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-470CWE-502

Related Identifiers

CVE-2026-44795
GHSA-C8Q4-9H32-2WW8

Affected Products

Io.Spinnaker.Orca:Orca-Core
Io.Spinnaker.Rosco:Rosco-Core