Cyber Resilience

CVE-2026-32613

CriticalRCE

Published: 20 April 2026

Published
20 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0055 41.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-32613 is a critical-severity Code Injection (CWE-94) vulnerability in Linuxfoundation Spinnaker. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-32613 is a critical vulnerability in Spinnaker, an open-source multi-cloud continuous delivery platform, specifically affecting its Echo service. Echo uses Spring Expression Language (SpEL) to process information around expected artifacts without restricting the evaluation context to trusted classes—unlike the Orca service—allowing full JVM access. This enables attackers to invoke arbitrary Java classes for deep system access. The issue impacts versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, with a CVSS v3.1 score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and is classified under CWE-94 (code injection).

An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction. Successful exploitation grants arbitrary Java class usage, enabling remote code execution such as invoking system commands and accessing files, with high impacts across confidentiality, integrity, and availability due to the changed scope.

Patched versions include 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, as detailed in Spinnaker release notes and security advisory GHSA-69rw-45wj-g4v6. A recommended workaround is to disable the Echo service entirely.

A blog post on zeropath.com describes a production compromise involving Spinnaker RCE, suggesting real-world exploitation has occurred.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike orca, it was…

more

NOT restricting that context to a set of trusted classes, but allowing FULL JVM access. This enabled a user to use arbitrary java classes which allow deep access to the system. This enabled the ability to invoke commands, access files, etc. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable echo entirely.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

SpEL injection in public-facing Echo service enables remote authenticated attackers to invoke arbitrary Java classes for RCE, system command execution (Unix shell), and full system access/privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32604Same product: Linuxfoundation Spinnaker
CVE-2025-61916Same product: Linuxfoundation Spinnaker
CVE-2024-24421Same vendor: Linuxfoundation
CVE-2026-25153Same vendor: Linuxfoundation
CVE-2026-35171Same vendor: Linuxfoundation
CVE-2026-33217Same vendor: Linuxfoundation
CVE-2026-27965Same vendor: Linuxfoundation
CVE-2024-53351Same vendor: Linuxfoundation
CVE-2025-67036Shared CWE-94
CVE-2025-67034Shared CWE-94

Affected Assets

linuxfoundation
spinnaker
≤ 2025.3.2 · 2025.4.0 — 2025.4.2 · 2026.0.0 — 2026.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates SpEL expressions processed by the Echo service to prevent injection of arbitrary Java classes enabling RCE.

prevent

Restricts Echo service functionality to essential capabilities with trusted classes only, preventing full JVM access as in the workaround of disabling Echo.

prevent

Remediates the SpEL context restriction flaw by timely patching to vulnerable Spinnaker versions.

References