Cve-2026-32604

vulnerabilities 2026-04-22
Spinnaker Dual 10.0s: Echo SpEL and Clouddriver gitrepo RCE Gut Netflix's CD Platform (CVE-2026-32604, CVE-2026-32613)
Two critical (CVSS 10.0) RCE bugs in Spinnaker, disclosed April 21, 2026 with working PoCs: SpEL expression injection in Echo and shell injection in Clouddriver gitrepo artifacts. Any authenticated user pops the CD plane and walks out with every stored cloud credential.
spinnaker cicd rce spel command-injection netflix cloud credentials cve-2026-32604 cve-2026-32613

Spinnaker Dual 10.0s: Echo SpEL and Clouddriver gitrepo RCE Gut Netflix's CD Platform (CVE-2026-32604, CVE-2026-32613)