Spinnaker RCE via unrestricted Java classes (CVE-2026-32613)

Patch now - CVE-2026-32613 is a critical remote code execution in Spinnaker prior to patched versions 2026.1.0, 2026.0.1, 2025.4.2, or 2025.3.2 that grants low-privilege attackers full host access via unrestricted SpEL in the Echo service.

Overview

A critical security vulnerability in the Spinnaker continuous delivery platform allows authenticated users to execute arbitrary code on the host system. The flaw, tracked as CVE-2026-32613, resides in the platform’s Echo service, which is responsible for handling events and triggers.

Vulnerability Details

Spinnaker’s Echo service uses Spring Expression Language (SpEL) to process pipeline artifacts. In affected versions, the SpEL evaluation context was not properly restricted. Unlike the Orca service, which limits accessible classes, Echo allowed full access to the Java Virtual Machine (JVM). This lack of a security sandbox means an attacker can reference and invoke arbitrary Java classes, providing deep system access.

Impact

With a CVSS score of 9.9, this vulnerability is highly severe. An attacker with low-privilege access to Spinnaker can exploit this flaw to run operating system commands, read or write sensitive files, and potentially gain full control over the underlying server. This could lead to a complete compromise of the continuous delivery pipeline, unauthorized code deployment, and data theft. For more on the consequences of such breaches, see our breach reports.

Affected Versions

All Spinnaker versions prior to the following patched releases are vulnerable:

• 2026.1.0
• 2026.0.1
• 2025.4.2
• 2025.3.2

Remediation and Mitigation

The primary action is to update your Spinnaker deployment immediately to one of the patched versions listed above. The patch correctly restricts the SpEL context in the Echo service to a trusted set of classes.

If immediate patching is not possible, a workaround is to disable the Echo service entirely. However, this will break core Spinnaker functionality related to events, triggers, and notifications, so it should only be considered a temporary measure. Organizations should treat this as a high-priority patch.

Security Insight

This vulnerability highlights a recurring pattern in complex, microservices-based platforms: inconsistent security controls across services. The fact that Orca had proper SpEL restrictions while Echo did not suggests a fragmented security review process. It echoes past incidents in other platforms where a single misconfigured component became the entry point for a full chain exploit, underscoring the need for uniform, platform-wide security policy enforcement. For ongoing coverage of such trends, follow our security news.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs