Critical Spinnaker Vulnerability Exposes JVM to Attackers

/CRITICAL /CVSS 9.9/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycwe-94
Critical Spinnaker Vulnerability Exposes JVM to Attackers

The National Vulnerability Database has detailed CVE-2026-32613, a critical vulnerability in Spinnaker, the open-source, multi-cloud continuous delivery platform. This flaw, rated 9.9 CVSS, specifically impacts Spinnaker’s Echo service, which leverages Spring Expression Language (SPeL) for artifact processing.

Unlike other Spinnaker components, Echo in versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 failed to restrict SPeL context to trusted classes. This oversight granted attackers full JVM access, enabling arbitrary Java class execution. The National Vulnerability Database confirms this allows for command invocation and file system access, presenting a severe remote code execution risk.

Defenders must prioritize patching. The National Vulnerability Database states that versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain the necessary fix. For organizations unable to patch immediately, disabling the Echo service entirely is a viable workaround to mitigate this critical exposure.

What This Means For You

  • If your organization uses Spinnaker, immediately verify your Echo service version. Prioritize patching to versions 2026.1.0, 2026.0.1, 2025.4.2, or 2025.3.2 to prevent full JVM access. If patching isn't feasible, disable Echo immediately to close this critical RCE vector.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.001 PowerShell Execution T1204.002 Malicious File Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-32613 - Spinnaker Echo SPeL JVM Access

Sigma YAML — free preview
✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Export via Bot →

Indicators of Compromise

IDTypeIndicator
CVE-2026-32613 RCE Spinnaker Echo service versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2
CVE-2026-32613 Code Injection Spinnaker Echo service SPeL (Spring Expression Language) processing with full JVM access
CVE-2026-32613 Information Disclosure Spinnaker Echo service SPeL (Spring Expression Language) allowing arbitrary file access

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 21, 2026 at 00:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related Posts

CVE-2026-5721 — Cross-Site Scripting (XSS)

CVE-2026-5721 — The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all...

vulnerabilityCVEmedium-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /MEDIUM /4.7 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-6729 — HKUDS OpenHarness prior to PR #159 remediation contains a

CVE-2026-6729 — HKUDS OpenHarness prior to PR #159 remediation contains a session key derivation vulnerability that allows authenticated participants in shared chats or threads to...

vulnerabilityCVEmedium-severitycwe-287
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 2 IOCs

CVE-2026-4852 — Cross-Site Scripting (XSS)

CVE-2026-4852 — The Image Source Control Lite – Show Image Credits and Captions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Image...

vulnerabilityCVEmedium-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /MEDIUM /6.4 /⚑ 2 IOCs /⚙ 3 Sigma