Arbitrary Java Class Access in Spinnaker by Armory
CVE-2026-32613

10CRITICAL

Key Information:

Vendor

Spinnaker

Status
Spinnaker
Vendor
CVE Published:
20 April 2026

What is CVE-2026-32613?

A vulnerability in Spinnaker allows unauthorized access to system resources via the Spring Expression Language (SpEL). Prior to versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, the Echo service did not restrict access to a trusted set of classes, facilitating the execution of arbitrary Java commands. This can lead to command invocation, file access, and deeper system penetration. Users are advised to upgrade to patched versions or disable the Echo service as an immediate workaround.

Affected Version(s)

spinnaker < 2026.0.1 < 2026.0.1

spinnaker < 2025.4.2 < 2025.4.2

spinnaker < 2025.3.2 < 2025.3.2

References

https://github.com/spinnaker/spinnaker/security/advisorie...
x_refsource_CONFIRM
https://github.com/spinnaker/spinnaker/releases/tag/spinn...
x_refsource_MISC
https://github.com/spinnaker/spinnaker/releases/tag/spinn...
x_refsource_MISC

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.