GHSA-69rw-45wj-g4v6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-69rw-45wj-g4v6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-69rw-45wj-g4v6/GHSA-69rw-45wj-g4v6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-69rw-45wj-g4v6
- Aliases
-
- CVE-2026-32613
- Published
- 2026-04-21T14:53:34Z
- Modified
- 2026-05-05T16:02:41.955378Z
- Severity
-
- 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- Spinnaker: RCE via expression parsing due to unrestricted context handling
- Details
-
Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike orca, it was NOT restricting that context to a set of trusted classes, but allowing FULL JVM access. This enabled a user to use arbitrary java classes which allow deep access to the system. This enabled the ability to invoke commands, access files, etc. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable echo entirely.
- Database specific
{ "github_reviewed_at": "2026-04-21T14:53:34Z", "github_reviewed": true, "severity": "CRITICAL", "nvd_published_at": "2026-04-20T21:16:32Z", "cwe_ids": [ "CWE-94" ] }- References
-
- https://github.com/spinnaker/spinnaker/security/advisories/GHSA-69rw-45wj-g4v6
- https://nvd.nist.gov/vuln/detail/CVE-2026-32613
- https://github.com/spinnaker/spinnaker
- https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2
- https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2
- https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1
- https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.2
- https://zeropath.com/blog/spinnaker-rce-production-compromise
Affected packages
Maven
io.spinnaker.echo:echo-pipelinetriggers
Package
- Name
- io.spinnaker.echo:echo-pipelinetriggers
- View open source insights on deps.dev
- Purl
- pkg:maven/io.spinnaker.echo/echo-pipelinetriggers
io.spinnaker.echo:echo-pipelinetriggers
Package
- Name
- io.spinnaker.echo:echo-pipelinetriggers
- View open source insights on deps.dev
- Purl
- pkg:maven/io.spinnaker.echo/echo-pipelinetriggers
io.spinnaker.echo:echo-pipelinetriggers
Package
- Name
- io.spinnaker.echo:echo-pipelinetriggers
- View open source insights on deps.dev
- Purl
- pkg:maven/io.spinnaker.echo/echo-pipelinetriggers
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2025.3.2
Affected versions
Other
main-5
main-6
main-7
main-8
main-9
main-10
main-11
main-12
main-13
main-14
main-15
main-16
main-17
main-18
main-19
main-20
main-21
main-22
main-23
main-24
main-30
main-31
main-32
main-33
main-34
main-35
main-36
main-37
main-38
main-39
main-40
main-41
main-42
main-43
main-44
main-45
main-46
main-47
main-48
main-49
main-50
main-51
main-52
main-53
main-54
main-55
main-56
main-57
main-58
main-59
main-60
main-61
main-62
main-63
main-64
main-65
main-66
main-67
main-68
main-69
main-70
main-71
main-72
main-73
main-74
main-75
main-76
main-77
main-78
main-79
main-80
main-81
main-84
main-85
main-86
main-87
main-88
main-89
main-90
main-91
main-92
main-93
main-94
main-95
main-96
main-97
main-98
main-99
main-100
main-101
main-102
main-103
main-104
main-105
main-106
main-107
main-108
main-109
main-111
main-112
main-113
main-114
main-115
main-116
main-117
main-118
main-119
main-120
main-121
main-122
main-123
main-124
main-125
main-126
main-127
main-128
main-129
main-130
main-131
main-132
main-133
main-134
main-135
main-136
main-137
main-138
main-139
main-140
main-141
main-142
main-143
main-144
main-145
main-146
main-147
main-148
main-149
main-150
main-151
main-152
main-153
main-154
main-155
main-156
main-157
main-158
main-159
main-160
main-161
main-162
main-163
main-164
main-165
main-166
main-167
main-168
main-169
main-170
main-171
main-172
main-173
main-174
main-175
main-176
main-177
main-178
main-179
main-180
main-181
main-182
main-183
main-184
main-185
main-186
main-187
main-188
main-189
main-190
main-191
main-192
main-193
main-194
main-195
main-196
main-197
main-198
main-199
main-200
main-201
main-202
main-203
main-204
main-205
main-206
main-207
main-208
main-209
main-210
main-211
main-212
main-213
main-214
main-215
main-216
main-217
main-218
main-219
main-220
2.*
2.32.1
2.32.2
2.32.3
2.32.4
2.32.5
2.32.6
2.32.7
2.33.0
2.34.0
2.34.1
2.34.2
2.34.3
2.34.4
2.34.5
2.34.6
2.34.7
2.35.0
2.36.0
2.36.1
2.36.2
2.36.3
2.36.4
2.36.5
2.37.0
2.37.1
2.37.2
2.37.3
2.38.0
2.38.1
2.39.0
2.39.1
2.40.0
2.40.1
2.40.2
2.41.0
2.41.1
2.42.0
2.43.0
2.43.1
2.43.2
2.43.3
2.44.0
2.44.1
2.44.2
2.44.3
2.44.4
2.44.5
2.44.6
2.44.7
2.45.0
2.46.0
2.47.0
2.47.1
2.47.2
2025.*
2025.0-0
2025.0.0
2025.0-1
2025.0-2
2025.0-3
2025.0-4
2025.0-5
2025.0-6
2025.0-7
2025.0-8
2025.0-9
2025.0-10
2025.0-11
2025.0-12
2025.0-13
2025.0-14
2025.0-15
2025.0-16
2025.0-17
2025.0-18
2025.0-19
2025.0-20
2025.0-21
2025.0-22
2025.0-23
2025.0-24
2025.0-25
2025.0.1
2025.0.2
2025.0.3
2025.0.4
2025.0.5
2025.0.6
2025.0.7
2025.0.8
2025.1-0
2025.1.0
2025.1-1
2025.1-2
2025.1-3
2025.1-4
2025.1-5
2025.1-6
2025.1-7
2025.1-8
2025.1-9
2025.1-10
2025.1-11
2025.1-12
2025.1-13
2025.1-14
2025.1-15
2025.1-16
2025.1-17
2025.1-18
2025.1-19
2025.1-20
2025.1-21
2025.1-22
2025.1.1
2025.1.2
2025.1.3
2025.1.4
2025.1.5
2025.1.6
2025.2-0
2025.2.0
2025.2-1
2025.2-2
2025.2-3
2025.2-4
2025.2-5
2025.2-6
2025.2-7
2025.2-8
2025.2-9
2025.2-10
2025.2-11
2025.2-12
2025.2-13
2025.2-14
2025.2-15
2025.2-16
2025.2.1
2025.2.2
2025.2.3
2025.2.4
2025.3-0
2025.3.0
2025.3-1
2025.3-2
2025.3-3
2025.3-4
2025.3-5
2025.3-6
2025.3-7
2025.3-8
2025.3-9
2025.3-10
2025.3.1