Critical Spinnaker RCE Vulnerabilities, CVSS 10.0, Patch Now
Summary
The Centre for Cybersecurity Belgium has issued a critical security advisory warning of two remote code execution vulnerabilities in Spinnaker, an open-source multi-cloud continuous delivery platform. CVE-2026-32613 and CVE-2026-32604 both carry a CVSS score of 10.0, the maximum severity rating, affecting expression parsing and gitrepo artifact type handling respectively. The vulnerabilities allow authenticated attackers to execute arbitrary code or access internal resources by exploiting insufficient input validation and improper sanitisation of user-controlled input such as branch names and file paths. CCB strongly recommends installing updates for vulnerable installations with the highest priority after thorough testing.
“Multiple critical vulnerabilities have been identified in Spinnaker, an open-source multi-cloud continuous delivery platform.”
Organisations running Spinnaker should immediately inventory their deployments and assess exposure to both CVEs. The CVSS 10.0 score indicates no mitigation via compensating controls is feasible — patching is the only effective remediation. Teams should review pipeline expressions and gitrepo artifact configurations for untrusted user input and consider restricting pipeline configuration access as an interim measure pending the patch.
About this source
GovPing monitors Belgium CCB News alt for new data privacy & cybersecurity regulatory changes. Every update since tracking began is archived, classified, and available as free RSS or email alerts — 3 changes logged to date.
What changed
CCB published a critical security advisory on 22 April 2026 alerting organisations to two maximum-severity remote code execution vulnerabilities in Spinnaker. CVE-2026-32613 exploits insufficient validation in expression parsing, while CVE-2026-32604 stems from improper sanitisation of user-controlled input in gitrepo artifact types. Both vulnerabilities require an authenticated attacker and may enable arbitrary code execution or access to internal resources. Organisations running Spinnaker should prioritise patching after testing, enhance monitoring for intrusion indicators, and report any suspected compromise through the CCB incident portal. Note that patching does not remediate historic compromise.
What to do next
- Install updates for vulnerable Spinnaker installations with the highest priority after thorough testing
- Upscale monitoring and detection capabilities to identify any related suspicious activity
- Report incidents via https://ccb.belgium.be/cert/report-incident
Archived snapshot
Apr 23, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
Warning: CRITICAL CVE-2026-32613 & CVE-2026-32604 in Spinnaker, Patch Immediately!
Image
Published : 22/04/2026
- Last Update: 22/04/2026
Affected products:
→ SpinnakerType: Remote Code Execution (RCE)
CVE/CVSS:
→ CVE-2026-32613: CVSS 10.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
→ CVE-2026-32604: CVSS 10.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Sources
GHSA - https://github.com/spinnaker/spinnaker/security/advisories/GHSA-x3j7-7pgj-h87r
GHSA - https://github.com/spinnaker/spinnaker/security/advisories/GHSA-69rw-45wj-g4v6
Risks
Multiple critical vulnerabilities have been identified in Spinnaker, an open-source multi-cloud continuous delivery platform. These vulnerabilities may allow an authenticated attacker to execute arbitrary code or access internal resources by abusing insufficient input validation mechanisms.
Description
CVE-2026-32613 - RCE via expression parsing
A second critical vulnerability affects expression parsing, where insufficient validation allows execution of malicious expressions. This can lead to arbitrary code execution when untrusted input is processed within pipeline expressions.
CVE-2026-32604 - RCE when using gitrepo artifact types
A critical vulnerability exists in the handling of gitrepo artifact types due to improper sanitisation of user-controlled input such as branch names and file paths. An attacker with access to pipeline configuration may exploit this flaw to execute arbitrary code on the affected system.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
Feedly
Related changes
Get daily alerts for Belgium CCB News alt
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from CCB.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when Belgium CCB News alt publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.