Home / Vulnerability Intelligence / CVE-2026-25534

CVE-2026-25534 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: March 18, 2026

Spinnaker - Validation Bypass

Published: March 17, 2026Updated: March 18, 2026Remote Exploitable

Overview

Spinnaker < 2025.4.1, 2025.3.1, 2025.2.4, and 2026.0.0 contains a validation bypass caused by improper handling of underscores in Java URL parsing in clouddriver and Orca fromUrl expression, letting attackers bypass URL validation, exploit requires crafted URLs.

Severity & Score

Severity: Critical

CVSS Score: 9.1

EPSS Score: 4.1%(Probability of exploitation in next 30 days)

Impact

Attackers can bypass URL validation, potentially leading to unauthorized actions or security bypasses in affected components.

Mitigation

Update to versions 2025.4.1, 2025.3.1, 2025.2.4, 2026.0.0 or later.

References

Social Media Activity(1 post)

Offensive Sequence

@offseq

Mar 18, 2026

🚨 CRITICAL: CVE-2026-25534 SSRF in Spinnaker clouddriver-artifacts. Versions <2025.2.4 & select 2025.x allow SSRF via URL validation bypass. Patch to 2025.2.4+, 2025.3.1, 2025.4.1, or 2026.0.0 ASAP! Details: https://radar.offseq.com/threat/cve-2026-25534-cwe-918-server-side-request-forgery-618622b4 #OffSeq #SSRF #Spinnaker

View original post

Related Resources

Details

CVE ID: CVE-2026-25534
Severity: Critical
CVSS Score: 9.1
Type: undefined
Status: unconfirmed
EPSS: 4.1%
Social Posts: 1

CWE

CWE-918

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

EPSS Score

4.1%Probability of exploitation in the next 30 days