External risk intelligence

Spinnaker allows attackers to control systems or steal data by exploiting an Echo service flaw.

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-32613

An internal attacker with access to Spinnaker’s deployment pipeline can run unauthorized commands or access restricted system files. This could allow them to take complete control of your continuous delivery platform and gain unauthorized access to your wider production cloud environments.

2Halo Surface Signal

Code Injection

Linuxfoundation Spinnaker

before 2025.3.22025.4.0 to before 2025.4.22026.0.0 to before 2026.0.1

External exposure likelihood

Halo Surface Signal score for CVE-2026-32613

Spinnaker is a continuous delivery platform primarily utilized for internal CI/CD pipelines. It is typically deployed within protected internal networks or behind VPNs, accessible to developers and CI/CD automation tools, rather than being an internet-facing service.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A critical security flaw in the Spinnaker continuous delivery platform allows an attacker to execute arbitrary code on the system. This issue exists because a component named Echo incorrectly trusted user-provided input, enabling deep system access. This could lead to unauthorized command execution or data compromise.

  • Affected systems could be controlled.
  • Sensitive data may be exposed.
  • Requires existing access.

Attack Path

How an attacker could exploit the issue

An authenticated attacker with low privileges can exploit this vulnerability by crafting malicious SpEL expressions within Spinnaker's Echo service. This allows them to execute arbitrary Java code on the server, granting them deep system access to invoke commands or read files.

  • Requires authenticated access.
  • Targets Echo service with SpEL.
  • Affects Spinnaker prior to patched versions.

Live Threat

Current exploitation, exposure, and threat context

This Spinnaker vulnerability allows for full JVM access via SPeL injection in the Echo service, enabling arbitrary command execution and file access. While technically a critical vulnerability, its weaponization likelihood is tempered by Spinnaker's typical deployment environment and audience. Attackers may find it less attractive for widespread exploitation due to its niche use and the technical expertise required to target it effectively, though it presents a significant risk to organizations using the affected versions.

  • Primarily internal target audience.
  • Exploits require specific Spinnaker configuration.
  • No current public exploit or KEV listing.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching or updating Spinnaker to a fixed version to address the critical SpEL injection vulnerability. If immediate patching is not feasible due to operational constraints, disabling the Echo component serves as an effective workaround to mitigate the risk of arbitrary code execution.

  • Patch Spinnaker to 2026.1.0, 2026.0.1, 2025.4.2, or 2025.3.2.
  • Disable the Echo component as a workaround.
  • Monitor for unexpected Echo service activity.

Frequently asked questions

What is Spinnaker and its primary function?

Spinnaker is an open-source, multi-cloud continuous delivery platform. It automates the deployment of software applications across various cloud environments.

What type of vulnerability is CVE-2026-32613 in Spinnaker?

CVE-2026-32613 is a critical vulnerability related to improper processing of SpEL expressions within Spinnaker's Echo service, which can lead to arbitrary Java code execution.

How can an attacker exploit the Spinnaker Echo service flaw?

An authenticated attacker with low privileges can exploit this flaw by crafting malicious SpEL expressions in Spinnaker's Echo service, enabling arbitrary Java code execution and deep system access.

How does the Halo Surface Signal assess the threat of CVE-2026-32613?

Halo Surface Signal assesses this CVE as 'Unlikely' to be widely exploited due to Spinnaker's typical deployment within internal networks and its specialized user base, making it a less attractive target for broad attacks.

What are the recommended actions for Spinnaker users regarding CVE-2026-32613?

Users should update Spinnaker to patched versions (2026.1.0, 2026.0.1, 2025.4.2, or 2025.3.2). If patching isn't immediately possible, disabling the Echo component is a viable workaround.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified