CVE-2026-32613

Description

Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike orca, it was NOT restricting that context to a set of trusted classes, but allowing FULL JVM access. This enabled a user to use arbitrary java classes which allow deep access to the system. This enabled the ability to invoke commands, access files, etc. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable echo entirely.

How to fix CVE-2026-32613

To remediate CVE-2026-32613, upgrade the affected package to a fixed version below.

• —upgrade to 2026.0.1 or later

Is CVE-2026-32613 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 2026.0-0, < 2026.0.1

CVSS scores

References (8)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-32613
• PATCHgithub.com/spinnaker/spinnaker
• WEBgithub.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2
• WEBgithub.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2