CVE-2026-25534

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-25534

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25534.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-25534

Aliases

GHSA-8r8j-gfhg-fw38

Related

Published

2026-03-17T17:27:41.345Z

Modified

2026-04-10T05:40:38.722473Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L CVSS Calculator

Summary

Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames

Details

Impact

Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE (CVE-2025-61916) through the use of carefully crafted URLs. Note, Spinnaker found this not just in that CVE, but in the existing URL validations in Orca fromUrl expression handling. This CVE impacts BOTH artifacts as a result.

Patches

This has been merged and will be available in versions 2025.4.1, 2025.3.1, 2025.2.4 and 2026.0.0.

Workarounds

You can disable the various artifacts on this system to work around these limits.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25534.json"
}

References

Affected packages

Git / github.com/spinnaker/spinnaker

Affected ranges

Type

GIT

Repo

https://github.com/spinnaker/spinnaker

Events

Introduced

Fixed

b26345757c52cbef2ab3a9b56513873b1caeca7c

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2025.2.4"
        }
    ]
}

Type

GIT

Repo

https://github.com/spinnaker/spinnaker

Events

Introduced

ed0023ebff55956d438e0a2424c1c1c66e220f41

Fixed

c973386a8c523a53af4f04386134b7e37e2bbfc4

Database specific

{
    "versions": [
        {
            "introduced": "2025.3.0"
        },
        {
            "fixed": "2025.3.1"
        }
    ]
}

Type

GIT

Repo

https://github.com/spinnaker/spinnaker

Events

Introduced

6465902a6651ea50fa821259c7bbe68475e49251

Fixed

aa57ea001b59ca769dd0920aed64e51e8428ff1f

Database specific

{
    "versions": [
        {
            "introduced": "2025.4.0"
        },
        {
            "fixed": "2025.4.1"
        }
    ]
}

Affected versions

bn-clouddriver-release-2025.*

bn-clouddriver-release-2025.2.x-5

Other

bn-deck-kayenta-main-2

clouddriver-main-10

clouddriver-main-11

clouddriver-main-12

clouddriver-main-13

clouddriver-main-14

clouddriver-main-15

clouddriver-main-16

clouddriver-main-17

clouddriver-main-18

clouddriver-main-19

clouddriver-main-2

clouddriver-main-20

clouddriver-main-21

clouddriver-main-22

clouddriver-main-23

clouddriver-main-24

clouddriver-main-25

clouddriver-main-26

clouddriver-main-27

clouddriver-main-28

clouddriver-main-29

clouddriver-main-3

clouddriver-main-30

clouddriver-main-31

clouddriver-main-32

clouddriver-main-33

clouddriver-main-34

clouddriver-main-35

clouddriver-main-36

clouddriver-main-37

clouddriver-main-38

clouddriver-main-39

clouddriver-main-4

clouddriver-main-40

clouddriver-main-41

clouddriver-main-42

clouddriver-main-43

clouddriver-main-5

clouddriver-main-6

clouddriver-main-60

clouddriver-main-7

clouddriver-main-8

clouddriver-main-9

deck-kayenta-main-2

deck-main-2

echo-main-1

echo-main-10

echo-main-11

echo-main-12

echo-main-13

echo-main-14

echo-main-15

echo-main-16

echo-main-17

echo-main-18

echo-main-19

echo-main-2

echo-main-20

echo-main-21

echo-main-22

echo-main-23

echo-main-24

echo-main-25

echo-main-26

echo-main-27

echo-main-28

echo-main-3

echo-main-37

echo-main-4

echo-main-5

echo-main-6

echo-main-7

echo-main-8

fiat-main-1

fiat-main-10

fiat-main-11

fiat-main-12

fiat-main-13

fiat-main-14

fiat-main-15

fiat-main-16

fiat-main-17

fiat-main-18

fiat-main-19

fiat-main-2

fiat-main-20

fiat-main-21

fiat-main-22

fiat-main-3

fiat-main-30

fiat-main-4

fiat-main-5

fiat-main-6

fiat-main-8

fiat-main-9

front50-main-1

front50-main-10

front50-main-11

front50-main-12

front50-main-13

front50-main-14

front50-main-15

front50-main-16

front50-main-17

front50-main-18

front50-main-19

front50-main-2

front50-main-20

front50-main-21

front50-main-22

front50-main-23

front50-main-3

front50-main-34

front50-main-4

front50-main-5

front50-main-6

front50-main-8

front50-main-9

gate-main-1

gate-main-10

gate-main-11

gate-main-12

gate-main-13

gate-main-14

gate-main-15

gate-main-16

gate-main-17

gate-main-18

gate-main-19

gate-main-2

gate-main-20

gate-main-21

gate-main-22

gate-main-23

gate-main-24

gate-main-25

gate-main-26

gate-main-27

gate-main-28

gate-main-29

gate-main-3

gate-main-4

gate-main-46

gate-main-5

gate-main-6

gate-main-8

gate-main-9

halyard-main-1

halyard-main-10

halyard-main-11

halyard-main-12

halyard-main-13

halyard-main-14

halyard-main-15

halyard-main-16

halyard-main-17

halyard-main-18

halyard-main-19

halyard-main-2

halyard-main-20

halyard-main-21

halyard-main-22

halyard-main-23

halyard-main-24

halyard-main-25

halyard-main-26

halyard-main-27

halyard-main-28

halyard-main-29

halyard-main-3

halyard-main-30

halyard-main-31

halyard-main-32

halyard-main-33

halyard-main-34

halyard-main-35

halyard-main-36

halyard-main-37

halyard-main-38

halyard-main-39

halyard-main-4

halyard-main-40

halyard-main-41

halyard-main-42

halyard-main-43

halyard-main-44

halyard-main-45

halyard-main-5

halyard-main-6

halyard-main-65

halyard-main-7

halyard-main-8

igor-main-1

igor-main-10

igor-main-11

igor-main-12

igor-main-13

igor-main-14

igor-main-15

igor-main-16

igor-main-17

igor-main-18

igor-main-19

igor-main-2

igor-main-20

igor-main-21

igor-main-22

igor-main-23

igor-main-24

igor-main-25

igor-main-26

igor-main-27

igor-main-3

igor-main-36

igor-main-4

igor-main-5

igor-main-6

igor-main-8

kayenta-main-1

kayenta-main-10

kayenta-main-11

kayenta-main-12

kayenta-main-13

kayenta-main-14

kayenta-main-15

kayenta-main-16

kayenta-main-17

kayenta-main-18

kayenta-main-19

kayenta-main-2

kayenta-main-20

kayenta-main-21

kayenta-main-22

kayenta-main-23

kayenta-main-24

kayenta-main-25

kayenta-main-26

kayenta-main-27

kayenta-main-28

kayenta-main-29

kayenta-main-3

kayenta-main-30

kayenta-main-31

kayenta-main-32

kayenta-main-33

kayenta-main-34

kayenta-main-35

kayenta-main-36

kayenta-main-37

kayenta-main-4

kayenta-main-5

kayenta-main-6

kayenta-main-69

kayenta-main-7

kayenta-main-9

keel-main-1

keel-main-10

keel-main-11

keel-main-12

keel-main-13

keel-main-14

keel-main-15

keel-main-16

keel-main-17

keel-main-18

keel-main-19

keel-main-2

keel-main-20

keel-main-21

keel-main-22

keel-main-23

keel-main-3

keel-main-31

keel-main-4

keel-main-5

keel-main-6

keel-main-8

keel-main-9

orca-main-1

orca-main-10

orca-main-11

orca-main-12

orca-main-13

orca-main-14

orca-main-15

orca-main-16

orca-main-17

orca-main-18

orca-main-19

orca-main-2

orca-main-20

orca-main-21

orca-main-22

orca-main-23

orca-main-24

orca-main-25

orca-main-26

orca-main-27

orca-main-28

orca-main-3

orca-main-30

orca-main-31

orca-main-32

orca-main-33

orca-main-34

orca-main-35

orca-main-36

orca-main-4

orca-main-5

orca-main-6

orca-main-68

orca-main-7

orca-main-9

rosco-main-1

rosco-main-10

rosco-main-11

rosco-main-12

rosco-main-14

rosco-main-15

rosco-main-16

rosco-main-17

rosco-main-18

rosco-main-19

rosco-main-2

rosco-main-20

rosco-main-21

rosco-main-22

rosco-main-3

rosco-main-30

rosco-main-4

rosco-main-5

rosco-main-6

rosco-main-8

rosco-main-9

bn-deck-kayenta-release-2025.*

bn-deck-kayenta-release-2025.0.x-0

bn-deck-kayenta-release-2025.1.x-0

bn-deck-kayenta-release-2025.2.x-4

bn-deck-kayenta-release-2025.3.x-6

bn-deck-release-2025.*

bn-deck-release-2025.0.x-0

bn-deck-release-2025.1.x-0

bn-deck-release-2025.2.x-2

bn-deck-release-2025.3.x-3

bn-deck-release-2025.4.x-4

bn-echo-release-2025.*

bn-echo-release-2025.2.x-1

bn-fiat-release-2025.*

bn-fiat-release-2025.2.x-0

bn-front50-release-2025.*

bn-front50-release-2025.2.x-0

bn-gate-release-2025.*

bn-gate-release-2025.2.x-3

bn-halyard-release-2025.*

bn-halyard-release-2025.2.x-6

bn-igor-release-2025.*

bn-igor-release-2025.2.x-0

bn-kayenta-release-2025.*

bn-kayenta-release-2025.2.x-9

bn-keel-release-2025.*

bn-keel-release-2025.2.x-0

bn-orca-release-2025.*

bn-orca-release-2025.2.x-9

bn-rosco-release-2025.*

bn-rosco-release-2025.2.x-0

bn-spin-release-2025.*

bn-spin-release-2025.0.x-0

bn-spin-release-2025.1.x-0

bn-spin-release-2025.2.x-0

bn-spin-release-2025.3.x-3

bn-spin-release-2025.4.x-0

bn-spinnaker-libraries-release-2025.*

bn-spinnaker-libraries-release-2025.2.x-16

bn-spinnaker-release-2025.*

bn-spinnaker-release-2025.2.x-3

bn-spinnaker-release-2025.3.x-0

bn-spinnaker-release-2025.4.x-0

clouddriver-2025.*

clouddriver-2025.0-0

clouddriver-2025.1-0

clouddriver-2025.1.0

clouddriver-2025.2-0

clouddriver-2025.2-1

clouddriver-2025.2-2

clouddriver-2025.2-3

clouddriver-2025.2-4

clouddriver-2025.2-5

clouddriver-2025.2.0

clouddriver-2025.2.1

clouddriver-2025.2.2

clouddriver-2025.2.3

clouddriver-2025.2.4

clouddriver-2025.3-2

clouddriver-2025.3-3

clouddriver-2025.3.0

clouddriver-2025.3.1

clouddriver-2025.4-0

clouddriver-2025.4-1

clouddriver-2025.4-2

clouddriver-2025.4-3

clouddriver-2025.4.0

clouddriver-2025.4.1

deck-2025.*

deck-2025.1-0

deck-2025.1.0

deck-2025.2-0

deck-2025.2-2

deck-2025.2.0

deck-2025.2.1

deck-2025.2.2

deck-2025.2.3

deck-2025.2.4

deck-2025.3-3

deck-2025.3.0

deck-2025.3.1

deck-2025.4-0

deck-2025.4-4

deck-2025.4.0

deck-2025.4.1

deck-kayenta-2025.*

deck-kayenta-2025.1-0

deck-kayenta-2025.1.0

deck-kayenta-2025.2-0

deck-kayenta-2025.2.0

deck-kayenta-2025.2.1

deck-kayenta-2025.2.2

deck-kayenta-2025.2.3

deck-kayenta-2025.3.0

deck-kayenta-2025.4-0

deck-kayenta-2025.4.0

echo-2025.*

echo-2025.0-0

echo-2025.1-0

echo-2025.1.0

echo-2025.2-0

echo-2025.2-1

echo-2025.2.0

echo-2025.2.1

echo-2025.2.2

echo-2025.2.3

echo-2025.2.4

echo-2025.3-1

echo-2025.3.0

echo-2025.3.1

echo-2025.4-0

echo-2025.4-1

echo-2025.4.0

echo-2025.4.1

fiat-2025.*

fiat-2025.0-0

fiat-2025.1-0

fiat-2025.1.0

fiat-2025.2-0

fiat-2025.2.0

fiat-2025.2.1

fiat-2025.2.2

fiat-2025.2.3

fiat-2025.2.4

fiat-2025.3-1

fiat-2025.3.0

fiat-2025.3.1

fiat-2025.4-0

fiat-2025.4-1

fiat-2025.4.0

fiat-2025.4.1

front50-2025.*

front50-2025.0-0

front50-2025.1-0

front50-2025.1.0

front50-2025.2-0

front50-2025.2.0

front50-2025.2.1

front50-2025.2.2

front50-2025.2.3

front50-2025.2.4

front50-2025.3-1

front50-2025.3.0

front50-2025.3.1

front50-2025.4-0

front50-2025.4-1

front50-2025.4.0

front50-2025.4.1

gate-2025.*

gate-2025.0-0

gate-2025.1-0

gate-2025.1.0

gate-2025.2-0

gate-2025.2-1

gate-2025.2-2

gate-2025.2-3

gate-2025.2.0

gate-2025.2.1

gate-2025.2.2

gate-2025.2.3

gate-2025.2.4

gate-2025.3-1

gate-2025.3.0

gate-2025.3.1

gate-2025.4-0

gate-2025.4-1

gate-2025.4.0

gate-2025.4.1

halyard-2025.*

halyard-2025.0-0

halyard-2025.1-0

halyard-2025.1.0

halyard-2025.2-0

halyard-2025.2-1

halyard-2025.2-2

halyard-2025.2-3

halyard-2025.2-4

halyard-2025.2-5

halyard-2025.2-6

halyard-2025.2.0

halyard-2025.2.1

halyard-2025.2.2

halyard-2025.2.3

halyard-2025.2.4

halyard-2025.3-1

halyard-2025.3-2

halyard-2025.3-3

halyard-2025.3-4

halyard-2025.3.0

halyard-2025.3.1

halyard-2025.4-0

halyard-2025.4-1

halyard-2025.4-2

halyard-2025.4-3

halyard-2025.4-4

halyard-2025.4.0

halyard-2025.4.1

igor-2025.*

igor-2025.0-0

igor-2025.1-0

igor-2025.1.0

igor-2025.2-0

igor-2025.2.0

igor-2025.2.1

igor-2025.2.2

igor-2025.2.3

igor-2025.2.4

igor-2025.3-1

igor-2025.3.0

igor-2025.3.1

igor-2025.4-0

igor-2025.4-1

igor-2025.4.0

igor-2025.4.1

kayenta-2025.*

kayenta-2025.0-0

kayenta-2025.1-0

kayenta-2025.1.0

kayenta-2025.2-0

kayenta-2025.2-1

kayenta-2025.2-2

kayenta-2025.2-3

kayenta-2025.2-4

kayenta-2025.2-5

kayenta-2025.2-6

kayenta-2025.2-7

kayenta-2025.2-8

kayenta-2025.2-9

kayenta-2025.2.0

kayenta-2025.2.1

kayenta-2025.2.2

kayenta-2025.2.3

kayenta-2025.2.4

kayenta-2025.3-1

kayenta-2025.3-2

kayenta-2025.3.0

kayenta-2025.3.1

kayenta-2025.4-0

kayenta-2025.4-1

kayenta-2025.4-2

kayenta-2025.4-3

kayenta-2025.4.0

kayenta-2025.4.1

keel-2025.*

keel-2025.0-0

keel-2025.1-0

keel-2025.1.0

keel-2025.2-0

keel-2025.2.0

keel-2025.2.1

keel-2025.2.2

keel-2025.2.3

keel-2025.2.4

keel-2025.3-1

keel-2025.3.0

keel-2025.3.1

keel-2025.4-0

keel-2025.4-1

keel-2025.4.0

keel-2025.4.1

orca-2025.*

orca-2025.0-0

orca-2025.1-0

orca-2025.1.0

orca-2025.2-0

orca-2025.2-1

orca-2025.2-2

orca-2025.2-3

orca-2025.2-4

orca-2025.2-5

orca-2025.2-6

orca-2025.2-7

orca-2025.2-8

orca-2025.2-9

orca-2025.2.0

orca-2025.2.1

orca-2025.2.2

orca-2025.2.3

orca-2025.2.4

orca-2025.3-1

orca-2025.3-2

orca-2025.3.0

orca-2025.3.1

orca-2025.4-0

orca-2025.4-1

orca-2025.4-2

orca-2025.4-3

orca-2025.4.0

orca-2025.4.1

rosco-2025.*

rosco-2025.0-0

rosco-2025.1-0

rosco-2025.1.0

rosco-2025.2-0

rosco-2025.2.0

rosco-2025.2.1

rosco-2025.2.2

rosco-2025.2.3

rosco-2025.2.4

rosco-2025.3-1

rosco-2025.3.0

rosco-2025.3.1

rosco-2025.4-1

rosco-2025.4-2

rosco-2025.4.0

rosco-2025.4.1

spinnaker-release-2024.*

spinnaker-release-2024.0.0

spinnaker-release-2025.*

spinnaker-release-2025.2.0

spinnaker-release-2025.2.1

spinnaker-release-2025.2.2

spinnaker-release-2025.2.3

spinnaker-release-2025.3.0

spinnaker-release-2025.4.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25534.json"