CVE-2026-25534
Received Received - Intake
URL Validation Bypass in Spinnaker Clouddriver and Orca

Publication date: 2026-03-17

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
### Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE (CVE-2025-61916) through the use of carefully crafted URLs. Note, Spinnaker found this not just in that CVE, but in the existing URL validations in Orca fromUrl expression handling. This CVE impacts BOTH artifacts as a result. ### Patches This has been merged and will be available in versions 2025.4.1, 2025.3.1, 2025.2.4 and 2026.0.0. ### Workarounds You can disable the various artifacts on this system to work around these limits.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-17
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25534
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
spinnaker clouddriver From 2025.4.1 (inc)
spinnaker clouddriver From 2025.3.1 (inc)
spinnaker clouddriver From 2025.2.4 (inc)
spinnaker clouddriver From 2026.0.0 (inc)
spinnaker orca From 2025.4.1 (inc)
spinnaker orca From 2025.3.1 (inc)
spinnaker orca From 2025.2.4 (inc)
spinnaker orca From 2026.0.0 (inc)
spinnaker clouddriver From 2025.2.4 (inc) to 2026.1.0 (inc)
spinnaker orca From 2025.2.4 (inc) to 2026.1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-25534 is a critical vulnerability in the Spinnaker platform affecting the Clouddriver and Orca components. It arises from improper URL validation logic that fails to correctly handle underscores in hostnames during URL parsing. This flaw is due to the underlying Java URL object's inability to properly parse underscores, allowing attackers to bypass previous URL validation protections."}, {'type': 'paragraph', 'content': "The vulnerability leads to Server-Side Request Forgery (SSRF), where attackers can craft malicious URLs that bypass security checks and potentially access unauthorized resources. It impacts both Clouddriver's user input sanitation and Orca's fromUrl expression handling."}] [1]

Impact Analysis

This vulnerability can have serious impacts including high confidentiality loss, low integrity loss, and low availability loss. Attackers exploiting this flaw can bypass URL validation to perform SSRF attacks, potentially accessing unauthorized internal resources or sensitive data.

The attack vector is network-based with low complexity, requiring low privileges and no user interaction, but it causes a scope change affecting multiple components within Spinnaker.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability arises from improper URL validation that fails to correctly handle underscores in hostnames during URL parsing in Spinnaker's Clouddriver and Orca components. Detection involves identifying attempts to use carefully crafted URLs containing underscores in hostnames that bypass URL validation."}, {'type': 'paragraph', 'content': 'Since the vulnerability is related to URL parsing and validation, monitoring logs for URLs with underscores in hostnames or unusual URL patterns in requests to Clouddriver or Orca components can help detect exploitation attempts.'}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the available resources, but general approaches include:'}, {'type': 'list_item', 'content': 'Inspect application logs for URLs containing underscores in hostnames.'}, {'type': 'list_item', 'content': 'Use network monitoring tools (e.g., tcpdump, Wireshark) to capture HTTP requests to Spinnaker services and filter for URLs with underscores.'}, {'type': 'list_item', 'content': "Search logs or captured traffic with commands like: `grep -r '_.' /path/to/spinnaker/logs` to find URLs with underscores."}, {'type': 'list_item', 'content': 'Use custom scripts or tools to parse URLs in logs and flag those with underscores in hostnames.'}] [1]

Mitigation Strategies

Immediate mitigation steps include applying the patches released for this vulnerability or using available workarounds until patches can be applied.

  • Upgrade Spinnaker to one of the patched versions: 2025.3.1, 2025.4.1, 2025.2.4, 2026.0.0, or later releases.
  • As a temporary workaround, disable the affected artifact components (Clouddriver and Orca artifacts) on the system to prevent exploitation.

These steps help prevent attackers from exploiting the URL validation bypass caused by underscores in hostnames.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25534. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart