How to fix CVE-2026-25534?

Within 24 hours: Audit current Spinnaker version and determine if you are running affected versions (pre-2025.4.1, pre-2025.3.1, pre-2025.2.4, or pre-2026.0.0). Within 7 days: Apply the available vendor patch to upgrade to patched versions. If patching cannot be completed immediately, implement compensating controls by disabling artifact handling in Orca fromUrl expression evaluation until patching is completed. Within 30 days: Complete full deployment of patched versions across all Spinnaker instances and conduct a security review of artifact sources to identify any potential compromise.

Is Java affected by CVE-2026-25534?

A critical vulnerability in Spinnaker (CVE-2026-25534, CVSS 9.1) allows attackers to bypass URL validation controls in both Clouddriver and Orca components through specially crafted URLs, potentially enabling unauthorized access or malicious artifact deployment.

CVE-2026-25534

CRITICAL

2026-03-16 https://github.com/spinnaker/spinnaker

GHSA-8r8j-gfhg-fw38

9.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 16, 2026 - 16:00 vuln.today

Patch Released

Mar 16, 2026 - 16:00 nvd

Patch available

CVE Published

Mar 16, 2026 - 15:15 nvd

CRITICAL 9.1

Description

### Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE (CVE-2025-61916) through the use of carefully crafted URLs. Note, Spinnaker found this not just in that CVE, but in the existing URL validations in Orca fromUrl expression handling. This CVE impacts BOTH artifacts as a result. ### Patches This has been merged and will be available in versions 2025.4.1, 2025.3.1, 2025.2.4 and 2026.0.0. ### Workarounds You can disable the various artifacts on this system to work around these limits.

Analysis

Java URL parsing in Spinnaker's clouddriver and Orca components fails to properly validate URLs containing underscores, allowing authenticated attackers to bypass URL sanitation controls and potentially execute arbitrary code or access unauthorized resources. This vulnerability affects both the clouddriver artifact handling and Orca fromUrl expression evaluation in versions prior to 2025.2.4, 2025.3.1, 2025.4.1, and 2026.0.0. …

Remediation

Within 24 hours: Audit current Spinnaker version and determine if you are running affected versions (pre-2025.4.1, pre-2025.3.1, pre-2025.2.4, or pre-2026.0.0). Within 7 days: Apply the available vendor patch to upgrade to patched versions. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +46

POC: 0

CVE-2026-25534 vulnerability details – vuln.today

Back

CVE-2026-25534

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-25534

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code