CVE-2026-44795

Spinnaker · Spinnaker

Spinnaker is vulnerable to unsafe reflection and deserialization of untrusted data, which could allow an authenticated attacker to execute arbitrary code.

Executive summary

Spinnaker is affected by multiple critical vulnerabilities involving unsafe deserialization and reflection that could lead to full system compromise by an authenticated user.

Vulnerability

This vulnerability consists of CWE-470 (Unsafe Reflection) and CWE-502 (Deserialization of Untrusted Data). An authenticated attacker can leverage these flaws to manipulate application logic and execute arbitrary code on the underlying host.

Business impact

The exploitation of these vulnerabilities carries a high business risk, as successful execution allows an attacker to gain full control over the continuous delivery pipeline. Given the CVSS score of 8.8, this flaw could lead to unauthorized access to sensitive deployment environments, data exfiltration, or the injection of malicious code into production software, resulting in severe reputational and operational damage.

Remediation

Immediate Action: Update Spinnaker to the latest patched versions identified in the vendor security advisory.

Proactive Monitoring: Review application logs for unusual deserialization patterns or unexpected class instantiation requests that deviate from normal operational baselines.

Compensating Controls: Ensure the Spinnaker instance is isolated within a restricted network segment and apply strict access controls to limit the number of users with the privileges required to reach the vulnerable endpoints.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The severity of this vulnerability necessitates immediate attention. Administrators must prioritize updating their Spinnaker environments to the latest secure versions to eliminate the risk of remote code execution. Failure to patch these components leaves the continuous delivery pipeline exposed to significant security threats.