What is the CVSS score of CVE-2026-32613?

CVE-2026-32613 has a CVSS 3.1 base score of 9.9 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Java are affected by CVE-2026-32613?

Spinnaker Echo service versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a critical remote code execution vulnerability affecting authenticated users with low privileges, enabling…. A patch is available.

Java CVE-2026-32613

EUVD-2026-23964 CRITICAL

Code Injection (CWE-94)

2026-04-20 GitHub_M

GHSA-69rw-45wj-g4v6

RCE Java Code Injection

9.9

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Apr 23, 2026 - 18:30 nvd

Patch available

Re-analysis Queued

Apr 21, 2026 - 16:22 vuln.today

cvss_changed

Patch available

Apr 20, 2026 - 22:31 EUVD

Analysis Generated

Apr 20, 2026 - 21:44 vuln.today

CVSS changed

Apr 20, 2026 - 21:22 NVD

10.0 (CRITICAL) 9.9 (CRITICAL)

EUVD ID Assigned

Apr 20, 2026 - 21:15 euvd

EUVD-2026-23964

Analysis Generated

Apr 20, 2026 - 21:15 vuln.today

CVE Published

Apr 20, 2026 - 20:07 nvd

CRITICAL 9.9

DescriptionNVD

Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike orca, it was NOT restricting that context to a set of trusted classes, but allowing FULL JVM access. This enabled a user to use arbitrary java classes which allow deep access to the system. This enabled the ability to invoke commands, access files, etc. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable echo entirely.

AnalysisAI

Remote code execution in Spinnaker's Echo service (all versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2) allows authenticated attackers with low privileges to execute arbitrary system commands and access files through unrestricted Spring Expression Language (SPeL) injection in artifact processing. Unlike Spinnaker's Orca service which implemented SPeL sandbox restrictions, Echo permits full JVM class access, enabling attackers to invoke arbitrary Java classes for deep system compromise. …

RemediationAI

Within 24 hours: Identify all Spinnaker Echo service instances and document current versions via spinnaker-diag or deployment manifests; isolate affected deployments from production pipelines if running versions prior to 2026.1.0, 2026.0.1, 2025.4.2, or 2025.3.2. Within 7 days: Apply vendor patches - upgrade to Echo 2026.1.0, 2026.0.1, 2025.4.2, or 2025.3.2 depending on your release track; validate patches via deployment testing in non-production environment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-32613 vulnerability details – vuln.today

Back

Java CVE-2026-32613

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code