Skip to main content

Java CVE-2026-32613

| EUVDEUVD-2026-23964 CRITICAL
Code Injection (CWE-94)
2026-04-20 GitHub_M GHSA-69rw-45wj-g4v6
9.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Patch released
Apr 23, 2026 - 18:30 nvd
Patch available
Re-analysis Queued
Apr 21, 2026 - 16:22 vuln.today
cvss_changed
Patch available
Apr 20, 2026 - 22:31 EUVD
Analysis Generated
Apr 20, 2026 - 21:44 vuln.today
CVSS changed
Apr 20, 2026 - 21:22 NVD
10.0 (CRITICAL) 9.9 (CRITICAL)
EUVD ID Assigned
Apr 20, 2026 - 21:15 euvd
EUVD-2026-23964
Analysis Generated
Apr 20, 2026 - 21:15 vuln.today
CVE Published
Apr 20, 2026 - 20:07 nvd
CRITICAL 9.9

DescriptionGitHub Advisory

Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike orca, it was NOT restricting that context to a set of trusted classes, but allowing FULL JVM access. This enabled a user to use arbitrary java classes which allow deep access to the system. This enabled the ability to invoke commands, access files, etc. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable echo entirely.

AnalysisAI

Remote code execution in Spinnaker's Echo service (all versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2) allows authenticated attackers with low privileges to execute arbitrary system commands and access files through unrestricted Spring Expression Language (SPeL) injection in artifact processing. Unlike Spinnaker's Orca service which implemented SPeL sandbox restrictions, Echo permits full JVM class access, enabling attackers to invoke arbitrary Java classes for deep system compromise. The CVSS 9.9 score reflects network attack vector with low complexity, scope change to impact other components, and complete CIA triad compromise. EPSS and KEV data not available - exploitation status unknown but patches are available from Spinnaker project.

Technical ContextAI

Spinnaker's Echo service processes expected artifacts using Spring Expression Language (SPeL), a powerful expression language built into the Spring Framework that allows runtime evaluation of expressions against Java objects. The vulnerability stems from Echo's failure to restrict the SPeL evaluation context to a safe subset of classes, unlike the defense implemented in Spinnaker's Orca service. This unrestricted access permits attackers to reference and invoke arbitrary Java classes available in the JVM classpath, including dangerous classes like Runtime, ProcessBuilder, and file I/O classes. The root cause aligns with CWE-94 (Improper Control of Generation of Code - Code Injection), where user-controlled input is evaluated as executable code without sufficient sandboxing. This is a classic SPeL injection vulnerability pattern affecting Spring-based applications, where expression evaluation without allowlist-based class restrictions transforms intended data processing into a code execution primitive.

RemediationAI

Upgrade Spinnaker to patched versions immediately: 2026.1.0 or 2026.0.1 for 2026.x deployments, 2025.4.2 for 2025.4.x deployments, or 2025.3.2 for 2025.3.x deployments. Release packages available at https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1, https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2, and https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2. The patches implement class allowlisting for SPeL evaluation contexts in Echo, mirroring the protection already present in Orca. For environments unable to immediately upgrade, disable the Echo service entirely as a temporary workaround - note this will impact pipeline notification, event handling, and webhook functionality, potentially disrupting CI/CD workflows. Network-level compensating controls are ineffective since the vulnerability requires authenticated access already permitted for legitimate users. If Echo must remain operational pre-patch, implement strict RBAC to minimize accounts with artifact configuration permissions and audit all artifact definitions for suspicious SPeL expressions, though manual inspection is error-prone and not a substitute for patching.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-32613 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy