logo

Database

Lack of data validation In io.spinnaker.clouddriver:clouddriver-artifacts-gitrepo

Description

Spinnaker: RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable the gitrepo artifact types.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-326042. NVD-2026-326043. OSV-2026-326044. GHSA-x3j7-7pgj-h87r5. GCVE-2026-32604

References

1. https://github.com/spinnaker/spinnaker/security/advisories/GHSA-x3j7-7pgj-h87r2. https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.23. https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.24. https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.15. https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.26. https://zeropath.com/blog/spinnaker-rce-production-compromise

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.