CVE-2026-32604
Spinnaker · Spinnaker
A command injection vulnerability in Spinnaker's clouddriver pods allows attackers to execute arbitrary commands, potentially compromising credentials and resources.
Executive summary
Spinnaker clouddriver pods are vulnerable to arbitrary command execution, posing a critical risk of complete environment compromise.
Vulnerability
The application fails to properly sanitize inputs, allowing an attacker to execute arbitrary commands directly on the clouddriver pods. This vulnerability facilitates the exfiltration of credentials and the modification of cloud resources managed by the platform.
Business impact
With a CVSS score of 9.9, this vulnerability is extremely severe. Successful exploitation allows an attacker to achieve full control over the clouddriver component, leading to the compromise of cloud credentials, unauthorized manipulation of infrastructure resources, and potential lateral movement into the target cloud environment.
Remediation
Immediate Action: Upgrade to Spinnaker version 2026.1.0, 2026.0.1, 2025.4.2, or 2025.3.2. As a temporary mitigation, disable the gitrepo artifact types.
Proactive Monitoring: Monitor for unexpected command execution within container environments and watch for unusual spikes in resource usage or unexpected network connections originating from clouddriver pods.
Compensating Controls: Apply strict network policies to restrict outbound traffic from clouddriver pods and ensure that the service account permissions associated with the pods follow the principle of least privilege.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the ease with which arbitrary commands can be executed, this vulnerability requires immediate attention. Organizations should prioritize updating their Spinnaker environment to the patched versions to prevent unauthorized access and potential takeover of their cloud infrastructure.