GHSA-x3j7-7pgj-h87r
Suggest an improvement- Source
- https://github.com/advisories/GHSA-x3j7-7pgj-h87r
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-x3j7-7pgj-h87r/GHSA-x3j7-7pgj-h87r.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-x3j7-7pgj-h87r
- Aliases
-
- CVE-2026-32604
- Published
- 2026-04-21T14:48:38Z
- Modified
- 2026-05-05T16:12:08.904119Z
- Severity
-
- 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- Spinnaker: RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths
- Details
-
Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable the gitrepo artifact types.
- Database specific
{ "github_reviewed_at": "2026-04-21T14:48:38Z", "severity": "CRITICAL", "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "nvd_published_at": "2026-04-20T21:16:32Z" }- References
-
- https://github.com/spinnaker/spinnaker/security/advisories/GHSA-x3j7-7pgj-h87r
- https://nvd.nist.gov/vuln/detail/CVE-2026-32604
- https://github.com/spinnaker/spinnaker
- https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2
- https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2
- https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1
- https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.2
- https://zeropath.com/blog/spinnaker-rce-production-compromise
Affected packages
Maven / io.spinnaker.clouddriver:clouddriver-artifacts-gitrepo
Package
- Name
- io.spinnaker.clouddriver:clouddriver-artifacts-gitrepo
- View open source insights on deps.dev
- Purl
- pkg:maven/io.spinnaker.clouddriver/clouddriver-artifacts-gitrepo
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2026.0.1
Affected versions
Other
main-132
main-133
main-134
main-135
main-136
main-137
main-139
main-140
main-141
main-142
main-143
main-144
main-145
main-146
main-147
main-148
main-149
main-150
main-151
main-152
main-153
main-154
main-155
main-156
main-157
main-158
main-159
main-160
main-161
main-162
main-163
main-164
main-165
main-166
main-167
main-168
main-169
main-170
main-171
main-172
main-173
main-174
main-175
main-176
main-177
main-178
main-179
main-180
main-181
main-182
main-183
main-184
main-185
main-186
main-187
main-188
main-189
main-190
main-191
main-192
main-193
main-194
main-195
main-196
main-197
main-198
main-199
main-200
main-201
main-202
main-203
main-204
main-205
main-206
main-207
main-208
main-209
main-210
main-211
main-212
main-213
main-214
main-215
main-216
main-217
main-218
main-219
main-220
2026.*
2026.0-0
2026.0.0
2026.0-1
2026.0-2
2026.0-3
2026.0-4
2026.0-5
2026.0-6
2026.0-7
2026.0-8
2026.0-9
2026.0-10
2026.0-11
2026.0-12
2026.0-13