CVE-2026-55175

Spinnaker · Spinnaker

A deserialization vulnerability in the Spinnaker continuous delivery platform allows authenticated users to execute arbitrary code or cause system compromise.

Executive summary

A critical deserialization flaw in the Spinnaker platform allows an authenticated attacker to compromise the host system, necessitating an immediate update.

Vulnerability

This vulnerability (CWE-502) involves the deserialization of untrusted data within the Spinnaker platform. An authenticated attacker can manipulate serialized objects to execute arbitrary code or manipulate system state, depending on the application's configuration.

Business impact

Successful exploitation leads to full system compromise, granting an attacker the ability to execute arbitrary code within the continuous delivery pipeline. Given that Spinnaker manages deployment infrastructure, this represents a critical risk of lateral movement and supply chain compromise. The CVSS score of 7.5 reflects the high potential for impact on confidentiality, integrity, and availability.

Remediation

Immediate Action: Upgrade to the patched versions (e.g., 2026.1.1, 2026.0.3, 2025.4.4, or 2025.3.4) as identified in the vendor security advisory.

Proactive Monitoring: Review application logs for suspicious deserialization activity or unexpected process execution spawned by the Spinnaker services.

Compensating Controls: Restrict access to the Spinnaker management interface to trusted users via VPN or mTLS, and ensure the service runs with the principle of least privilege.

Exploitation status

Public Exploit Available: False

Analyst recommendation

Spinnaker is a central component of CI/CD pipelines, making this vulnerability a high-priority risk. Organizations must ensure that the aforementioned patches are applied across all affected instances to prevent unauthorized code execution and potential systemic compromise.