Skip to main content

Spinnaker CVE-2026-55175

| EUVDEUVD-2026-43087 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-07-10 GitHub_M
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

Reachable over the network via the pipeline API but requires authenticated bake-trigger privileges (PR:L) and a crafted YAML-tag payload (AC:H); RCE on the pod yields full C/I/A impact.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 23:02 EUVD
Analysis Generated
Jul 10, 2026 - 22:50 vuln.today

DescriptionCVE.org

Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4 on their respective release lines, Kustomize bake operations allow unsafe YAML tag processing in rosco manifests. This can lead to remote code execution on rosco pods when performing Kustomize bakes. This issue is fixed in versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4.

AnalysisAI

Remote code execution in Spinnaker's Rosco bakery service allows an authenticated user to run arbitrary code on Rosco pods by supplying a manifest that abuses unsafe YAML tag processing during Kustomize bake operations. The flaw (CWE-502 unsafe deserialization) affects release lines prior to 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4, and grants full compromise of the affected pod (C:H/I:H/A:H). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Spinnaker with pipeline access
Delivery
Submit crafted Kustomize manifest with malicious YAML tags
Exploit
Trigger Rosco Kustomize bake
Execution
Unsafe YAML deserialization instantiates payload
Persist
Execute arbitrary code on Rosco pod
Impact
Pivot to Kubernetes cluster credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires the ability to submit or trigger a Kustomize bake operation in Rosco with attacker-controlled manifest content that includes malicious/explicit YAML tags - this is the exact prerequisite named in the description ('Kustomize bake operations allow unsafe YAML tag processing in rosco manifests'). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects a network-reachable but non-trivial attack: it requires low-level privileges (PR:L - a user able to submit or trigger a bake pipeline) and high attack complexity (AC:H), which meaningfully constrains opportunistic exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Spinnaker user (or a compromised low-privilege account) with the ability to configure or trigger a Kustomize bake stage submits a manifest containing malicious YAML tags. When Rosco bakes the manifest, its unsafe YAML parser processes the crafted tags and executes attacker code on the Rosco pod. …
Remediation Vendor-released patch: upgrade to Spinnaker/Rosco 2026.1.1, 2026.0.3, 2025.4.4, or 2025.3.4 depending on your release line (or 2026.2.0+), per advisory GHSA-p68j-q7hf-3qcp; the fixes are delivered in commits 2d75818, bbc30c9, de5a7a0, df32d56, and f5cec21 which replace unsafe YAML tag processing with a safe loader during Kustomize bakes. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit your Spinnaker deployment to identify the current release version and line (2026.1.x, 2026.0.x, 2025.4.x, 2025.3.x, or earlier). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55175 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy