CVE-2026-25534 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: March 17, 2026
Spinnaker - Validation Bypass
Published: March 17, 2026Updated: March 17, 2026Remote Exploitable
Overview
Spinnaker < 2025.4.1, 2025.3.1, 2025.2.4, and 2026.0.0 contains a validation bypass caused by improper handling of underscores in Java URL parsing in clouddriver and Orca fromUrl expression, letting attackers bypass URL validation, exploit requires crafted URLs.
Severity & Score
Severity: Critical
CVSS Score: 9.1
Impact
Attackers can bypass URL validation, potentially leading to unauthorized actions or security bypasses in affected components.
Mitigation
Update to versions 2025.4.1, 2025.3.1, 2025.2.4, 2026.0.0 or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-25534
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- undefined
- Status
- new
CWE
- CWE-918
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L