Skip to main content

Spinnaker CVE-2026-44795

HIGH
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE-470)
2026-06-22 https://github.com/spinnaker/spinnaker GHSA-c8q4-9h32-2ww8
Java Deserialization
8.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
vuln.today AI
8.5 HIGH

Network-reachable Spinnaker API with a low-privileged pipeline user (PR:L); RCE in Orca/Rosco crosses scope into managed cloud accounts, justifying S:C and I:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 22, 2026 - 21:20 vuln.today
Analysis Generated
Jun 22, 2026 - 21:20 vuln.today

DescriptionGitHub Advisory

Impact

There's an unsafe YAML processing vulnerability that bypasses safe deserialization. This impacts users when when performing:

  • CloudFormation deployments
  • CloudFoundry Baking

The usage of a non-safe constructor use allows arbitrary loading of Java classes leading to RCE.

Patches

2025.3.3, 2026.0.3 and 2025.4.4.

Workarounds

Disable the CloudFormation system and cloudfoundry baking operations.

Resources

Join Spinnaker on Slack for more information!

AnalysisAI

Remote code execution in Spinnaker's Orca and Rosco services allows authenticated users to achieve arbitrary Java class loading through unsafe YAML deserialization when triggering CloudFormation deployments or CloudFoundry baking operations. The flaw bypasses safe deserialization by using a non-safe SnakeYAML constructor, and a scope change (S:C) means impact extends beyond the vulnerable component. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Spinnaker pipeline-edit credentials
Delivery
Craft YAML with Java gadget tag
Exploit
Submit pipeline with CloudFormation or bake stage
Execution
Orca/Rosco invokes unsafe SnakeYAML constructor
Persist
JVM instantiates attacker class and executes code
Impact
Abuse Spinnaker cloud credentials to pivot into AWS/CloudFoundry
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Spinnaker user (PR:L) with sufficient permissions to submit or trigger a pipeline that invokes either the CloudFormation deployment stage or a CloudFoundry baking operation in Rosco; the target Spinnaker installation must have those two features enabled (they are part of the default Spinnaker capability set when the relevant cloud providers are configured). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-supplied CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N yields 8.5 (High), with scope change reflecting that RCE inside Orca/Rosco lets an attacker pivot into the cloud accounts Spinnaker manages (AWS, CloudFoundry) - arguably a bigger blast radius than the score suggests. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privileged Spinnaker account (or credentials phished from a developer) authors or modifies a pipeline that includes a CloudFormation deployment stage or a CloudFoundry bake stage, embedding a malicious YAML payload referencing a Java gadget class. When the pipeline executes, Orca or Rosco parses the YAML through the unsafe constructor, instantiating the attacker-chosen class and executing arbitrary code inside the Spinnaker service container - which typically holds long-lived cloud credentials for the target deployment accounts. …
Remediation Vendor-released patches are available: upgrade Orca and Rosco to 2025.3.3 on the 2025.3.x line, to 2025.4.4 on the 2025.4.x line, or to 2026.0.3 on the 2026.0.x line, matching whichever Spinnaker release train is deployed (see https://github.com/spinnaker/spinnaker/security/advisories/GHSA-c8q4-9h32-2ww8 for details). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all Spinnaker instances in production; identify those running Orca and Rosco services; audit recent CloudFormation and CloudFoundry deployment activity; review GHSA-c8q4-9h32-2ww8 for affected release lines. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-28575 CRITICAL
10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
CVE-2026-55773 HIGH
8.8 Jun 19

Cedar policy injection in CedarJava (com.cedarpolicy:cedar-java) versions below 2.3.6, 3.4.1, and 4.9.0 allows attackers
CVE-2026-55772 HIGH
8.8 Jun 19

Type confusion in CedarJava versions prior to 2.3.6, 3.4.1, and 4.9 allows authenticated remote attackers to manipulate

CVE-2026-50196 HIGH
7.5 Jun 17

Denial of service in Steeltoe.Discovery.Eureka client (.NET) versions prior to 4.2.0 and 3.4.0 allows a remote Eureka re
CVE-2026-55470 HIGH
7.5 Jun 17

Regular expression denial of service in HAPI FHIR's DSTU2 FHIRPathEngine allows unauthenticated remote attackers to exha

Share

CVE-2026-44795 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy