CVE-2026-32613 - Vulnerability Analysis
CriticalCVSS: 9.9Last Updated: April 20, 2026
Spinnaker Echo - Remote Code Execution
Published: April 20, 2026Updated: April 20, 2026Remote Exploitable
Overview
Spinnaker Echo < 2026.1.0, 2026.0.1, 2025.4.2, 2025.3.2 contains a remote code execution caused by unrestricted Spring Expression Language (SPeL) context allowing full JVM access, letting attackers execute arbitrary commands and access files, exploit requires user input processed by Echo.
Severity & Score
Severity: Critical
CVSS Score: 9.9
Impact
Attackers can execute arbitrary code and access system files, potentially leading to full system compromise.
Mitigation
Upgrade to versions 2026.1.0, 2026.0.1, 2025.4.2, or 2025.3.2 or later.
References
- https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2
- https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2
- https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1
- https://github.com/spinnaker/spinnaker/security/advisories/GHSA-69rw-45wj-g4v6
Related Resources
Details
- CVE ID
- CVE-2026-32613
- Severity
- Critical
- CVSS Score
- 9.9
- Type
- expression_language_injection
- Status
- new
CWE
- CWE-94
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H