CVE-2026-32613

CriticalRCE

Published: 20 April 2026

Published

20 April 2026

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0008 22.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32613 is a critical-severity Code Injection (CWE-94) vulnerability in Linuxfoundation Spinnaker. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates SpEL expressions processed by the Echo service to prevent injection of arbitrary Java classes enabling RCE.

CM-7 Least Functionality good match

prevent

Restricts Echo service functionality to essential capabilities with trusted classes only, preventing full JVM access as in the workaround of disabling Echo.

SI-2 Flaw Remediation good match

prevent

Remediates the SpEL context restriction flaw by timely patching to vulnerable Spinnaker versions.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

SpEL injection in public-facing Echo service enables remote authenticated attackers to invoke arbitrary Java classes for RCE, system command execution (Unix shell), and full system access/privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike orca, it was…

NOT restricting that context to a set of trusted classes, but allowing FULL JVM access. This enabled a user to use arbitrary java classes which allow deep access to the system. This enabled the ability to invoke commands, access files, etc. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable echo entirely.

Deeper analysisAI

CVE-2026-32613 is a critical vulnerability in Spinnaker, an open-source multi-cloud continuous delivery platform, specifically affecting its Echo service. Echo uses Spring Expression Language (SpEL) to process information around expected artifacts without restricting the evaluation context to trusted classes—unlike the Orca service—allowing full JVM access. This enables attackers to invoke arbitrary Java classes for deep system access. The issue impacts versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, with a CVSS v3.1 score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and is classified under CWE-94 (code injection).

An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction. Successful exploitation grants arbitrary Java class usage, enabling remote code execution such as invoking system commands and accessing files, with high impacts across confidentiality, integrity, and availability due to the changed scope.

Patched versions include 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, as detailed in Spinnaker release notes and security advisory GHSA-69rw-45wj-g4v6. A recommended workaround is to disable the Echo service entirely.

A blog post on zeropath.com describes a production compromise involving Spinnaker RCE, suggesting real-world exploitation has occurred.

Details

CWE(s): CWE-94

Affected Products

linuxfoundation

spinnaker

≤ 2025.3.2 · 2025.4.0 — 2025.4.2 · 2026.0.0 — 2026.0.1

CVEs Like This One

CVE-2026-32604Same product: Linuxfoundation Spinnaker

CVE-2025-61916Same product: Linuxfoundation Spinnaker

CVE-2026-25153Same vendor: Linuxfoundation

CVE-2024-24421Same vendor: Linuxfoundation

CVE-2026-35171Same vendor: Linuxfoundation

CVE-2024-53351Same vendor: Linuxfoundation

CVE-2026-27965Same vendor: Linuxfoundation

CVE-2026-33217Same vendor: Linuxfoundation

CVE-2025-67037Shared CWE-94

CVE-2025-67036Shared CWE-94

References

https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2
Product, Release Notes · security-advisories@github.com
https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2
Product, Release Notes · security-advisories@github.com
https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1
Product, Release Notes · security-advisories@github.com
https://github.com/spinnaker/spinnaker/security/advisories/GHSA-69rw-45wj-g4v6
Mitigation, Vendor Advisory · security-advisories@github.com
https://zeropath.com/blog/spinnaker-rce-production-compromise
af854a3a-2127-422b-91ae-364da2661108