Mondoo

Vulnerability Management
Technology
Services

Solutions

Financial Services
Manufacturing
Healthcare

Resources

Blog
Vulnerability Database
Documentation
GitHub

Company

About
Careers
Partners
Contact

Legal

Privacy
Terms
Imprint

Vulnerability IntelligenceGHSA-x3j7-7pgj-h87r

GHSA-x3j7-7pgj-h87r

CRITICAL9.9

Spinnaker: RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths

Published Apr 21, 2026

Modified 4 days ago

Fix available

Details

Impact

A bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily.

Workarounds

Disable the gitrepo artifact types.

Affected Packages

io.spinnaker.clouddriver:clouddriver-artifacts-gitrepo

Maven

Fixed in:

2026.0.1

References

ADVISORY

https://github.com/advisories/GHSA-x3j7-7pgj-h87r

PACKAGE

https://github.com/spinnaker/spinnaker

WEB

https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2

WEB

https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2

WEB

https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1

WEB

https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.2

WEB

https://github.com/spinnaker/spinnaker/security/advisories/GHSA-x3j7-7pgj-h87r

ADVISORY

https://nvd.nist.gov/vuln/detail/CVE-2026-32604

Aliases

CVE-2026-32604

CVSS Analysis

CVSS v3.1

9.9

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

LowPR:L

User Interaction

NoneUI:N

Scope

ChangedS:C

Impact

Confidentiality

HighC:H

Integrity

HighI:H

Availability

HighA:H

9.9/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE-2026-32604

Ecosystems

Maven

Timeline

PublishedApr 21, 2026

ModifiedApr 21, 2026

GHSA-x3j7-7pgj-h87r | Mondoo Vulnerability Intelligence