CVE-2026-25534
Published: 17 March 2026
Summary
CVE-2026-25534 is a critical-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-25534 is a URL validation bypass vulnerability in Netflix's Spinnaker platform, specifically affecting the clouddriver and Orca components. Spinnaker's updated URL validation logic for user-inputted URLs in clouddriver failed to properly handle underscores during parsing by Java URL objects, enabling a bypass of mitigations for the prior CVE-2025-61916 via crafted URLs. The issue also extends to Orca's existing fromUrl expression handling, impacting both artifacts and classified under CWE-918 (Server-Side Request Forgery).
Attackers with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving scope-crossing effects (S:C). This yields high confidentiality impact (C:H), along with low integrity (I:L) and availability (I:L) impacts, for an overall CVSS v3.1 score of 9.1. Exploitation relies on supplying malicious URLs that evade sanitation, potentially allowing unauthorized actions tied to the bypassed prior vulnerability.
Patches addressing this vulnerability have been merged and are available in Spinnaker versions 2025.4.1, 2025.3.1, 2025.2.4, and 2026.0.0. As a workaround, administrators can disable the affected clouddriver and Orca artifacts. Additional details are provided in GitHub security advisories GHSA-8r8j-gfhg-fw38 and GHSA-vrjc-q2fh-6x9h, as well as commit 7c4737906239a958a468e843239c6785b03d0eda.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-12592
Vulnerability details
### Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the…
more
previous CVE (CVE-2025-61916) through the use of carefully crafted URLs. Note, Spinnaker found this not just in that CVE, but in the existing URL validations in Orca fromUrl expression handling. This CVE impacts BOTH artifacts as a result. ### Patches This has been merged and will be available in versions 2025.4.1, 2025.3.1, 2025.2.4 and 2026.0.0. ### Workarounds You can disable the various artifacts on this system to work around these limits.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF via URL validation bypass in network-accessible Spinnaker components (clouddriver/Orca) directly enables exploitation of a public-facing application for unauthorized server-side requests.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates validation of user-supplied URLs at input points to prevent bypasses from improper Java URL parsing handling underscores.
Requires timely identification, reporting, and patching of flaws like the URL validation bypass, with available patches in specified Spinnaker versions.
Restricts malformed or suspicious URL inputs that could evade sanitation logic in clouddriver and Orca components.