logo

Database

Remote command execution In io.spinnaker.echo:echo-pipelinetriggers

Description

Spinnaker: RCE via expression parsing due to unrestricted context handling Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike orca, it was NOT restricting that context to a set of trusted classes, but allowing FULL JVM access. This enabled a user to use arbitrary java classes which allow deep access to the system. This enabled the ability to invoke commands, access files, etc. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable echo entirely.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-326132. NVD-2026-326133. OSV-2026-326134. GHSA-69rw-45wj-g4v65. GCVE-2026-32613

References

1. https://github.com/spinnaker/spinnaker/security/advisories/GHSA-69rw-45wj-g4v62. https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.23. https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.24. https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.15. https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.26. https://zeropath.com/blog/spinnaker-rce-production-compromise

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.