What is the CVSS score of CVE-2026-32604?

CVE-2026-32604 has a CVSS 3.1 base score of 9.9 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of Spinnaker are affected by CVE-2026-32604?

Spinnaker clouddriver versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a critical remote code execution vulnerability affecting authenticated users.. A patch is available.

Spinnaker CVE-2026-32604

EUVD-2026-23963 CRITICAL

Improper Input Validation (CWE-20)

2026-04-20 GitHub_M

GHSA-x3j7-7pgj-h87r

Code Injection

9.9

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Apr 23, 2026 - 18:30 nvd

Patch available

Re-analysis Queued

Apr 21, 2026 - 16:22 vuln.today

cvss_changed

Patch available

Apr 20, 2026 - 22:31 EUVD

Analysis Generated

Apr 20, 2026 - 21:44 vuln.today

CVSS changed

Apr 20, 2026 - 21:22 NVD

10.0 (CRITICAL) 9.9 (CRITICAL)

EUVD ID Assigned

Apr 20, 2026 - 21:15 euvd

EUVD-2026-23963

Analysis Generated

Apr 20, 2026 - 21:15 vuln.today

CVE Published

Apr 20, 2026 - 20:00 nvd

CRITICAL 9.9

DescriptionNVD

Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable the gitrepo artifact types.

AnalysisAI

Remote code execution in Spinnaker's clouddriver component allows authenticated attackers to execute arbitrary commands on clouddriver pods via gitrepo artifact processing. Affects all versions prior to patched releases 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2. …

RemediationAI

Within 24 hours: Identify all Spinnaker clouddriver instances and document current versions; restrict clouddriver API access via network controls to trusted CI/CD systems only. Within 7 days: Upgrade to patched versions (2026.1.0, 2026.0.1, 2025.4.2, or 2025.3.2 depending on release line); validate upgrade in non-production environment first. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-32604 vulnerability details – vuln.today

Back

Spinnaker CVE-2026-32604

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code