CVE-2026-32604
Received Received - Intake
Command Injection in Spinnaker Clouddriver Pods Enables Credential Exposure

Publication date: 2026-04-20

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable the gitrepo artifact types.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32604
EUVD
EUVD-2026-23963
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linuxfoundation spinnaker to 2025.3.2 (exc)
linuxfoundation spinnaker From 2025.4.0 (inc) to 2025.4.2 (exc)
linuxfoundation spinnaker From 2026.0.0 (inc) to 2026.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Spinnaker, an open source multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, an attacker can easily execute arbitrary commands on the clouddriver pods.

This means the attacker can perform actions such as exposing credentials, deleting files, or injecting resources within the affected system.

A patch is available in versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, and as a temporary workaround, disabling the gitrepo artifact types is recommended.

Impact Analysis

This vulnerability can have severe impacts including unauthorized execution of commands on clouddriver pods.

  • Exposure of sensitive credentials.
  • Deletion or removal of important files.
  • Injection of unauthorized resources into the system.

Overall, it can lead to a complete compromise of the affected Spinnaker deployment.

Mitigation Strategies

To mitigate this vulnerability immediately, you should upgrade Spinnaker to one of the patched versions: 2026.1.0, 2026.0.1, 2025.4.2, or 2025.3.2.

As a workaround until you can upgrade, disable the gitrepo artifact types to reduce the risk of arbitrary command execution on the clouddriver pods.

Compliance Impact

This vulnerability allows a bad actor to execute arbitrary commands on clouddriver pods, potentially exposing credentials, removing files, or injecting resources. Such unauthorized access and data exposure could lead to violations of data protection and security requirements mandated by standards like GDPR and HIPAA.

Specifically, exposure of credentials and unauthorized resource manipulation can compromise confidentiality, integrity, and availability of sensitive data, which are core principles in these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32604. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart