CVE-2026-32604CRITICAL 9.9EPSS p44.3%

CVE-2026-32604CVE-2026-32604

Description

Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable the gitrepo artifact types.

Scoring

CVSS 3.19.9 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS0.61% probability of exploitation · percentile 44.3% · 2026-06-19T12:03:05Z
Published2026-04-20
Last modified2026-04-23

Underlying weaknesses· 1

CWE-20

References

  1. https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2
  2. https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2
  3. https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1
  4. https://github.com/spinnaker/spinnaker/security/advisories/GHSA-x3j7-7pgj-h87r
  5. https://zeropath.com/blog/spinnaker-rce-production-compromise

1

TypeTargetConfidenceTier
WeaknessImproper Input Validationcwe-200%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-32613
CVE
CVE-2026-25534
CVE
CVE-2026-41050
CVE
CVE-2026-23654
CVE
CVE-2025-12029
CVE
CVE-2026-0704
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.