CVE-2026-32604 Overview
CVE-2026-32604 is a critical remote code execution vulnerability affecting Spinnaker, the open source, multi-cloud continuous delivery platform maintained by the Linux Foundation. In vulnerable versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor with low privileges can execute arbitrary commands on the clouddriver pods. This vulnerability can expose credentials, allow file deletion, or enable the injection of malicious resources into the CI/CD pipeline.
Critical Impact
This vulnerability allows authenticated attackers to execute arbitrary commands on clouddriver pods, potentially compromising the entire continuous delivery infrastructure, exposing cloud credentials, and enabling supply chain attacks.
Affected Products
- Linux Foundation Spinnaker versions prior to 2025.3.2
- Linux Foundation Spinnaker versions prior to 2025.4.2
- Linux Foundation Spinnaker versions 2026.x prior to 2026.0.1 and 2026.1.0
Discovery Timeline
- April 20, 2026 - CVE-2026-32604 published to NVD
- April 23, 2026 - Last updated in NVD database
Technical Details for CVE-2026-32604
Vulnerability Analysis
This vulnerability stems from improper input validation (CWE-20) in Spinnaker's handling of gitrepo artifact types within the clouddriver component. The clouddriver service is responsible for managing cloud provider integrations and artifact handling in Spinnaker deployments. Due to insufficient validation of user-supplied input when processing git repository artifacts, an attacker with low-level privileges can craft malicious requests that result in arbitrary command execution on the underlying pod infrastructure.
The scope of this vulnerability extends beyond the vulnerable component itself, meaning a successful exploit can affect resources beyond the security scope of the clouddriver service. This includes potential access to cloud provider credentials stored within the environment, manipulation of deployment artifacts, and lateral movement within the Kubernetes cluster hosting Spinnaker.
Root Cause
The root cause is improper input validation (CWE-20) in the gitrepo artifact handling functionality. When processing git repository artifact definitions, the clouddriver component fails to properly sanitize user-controlled input before passing it to system-level operations. This allows command injection through specially crafted artifact configurations that bypass expected input boundaries.
Attack Vector
The attack is network-accessible and requires only low-level privileges within the Spinnaker platform. An attacker can exploit this vulnerability by:
- Authenticating to the Spinnaker platform with minimal privileges
- Crafting a malicious gitrepo artifact configuration containing embedded commands
- Submitting the malicious artifact configuration through normal Spinnaker workflows
- The clouddriver component processes the artifact without proper sanitization
- Arbitrary commands execute within the context of the clouddriver pod
The vulnerability requires no user interaction and can impact resources beyond the initial security scope of the compromised component. For detailed technical analysis, refer to the ZeroPath blog post on Spinnaker RCE.
Detection Methods for CVE-2026-32604
Indicators of Compromise
- Unusual process execution originating from clouddriver pods, particularly shell invocations or command interpreters
- Unexpected network connections from clouddriver pods to external or internal endpoints
- Anomalous file system modifications within clouddriver container environments
- Authentication logs showing artifact creation or modification from unexpected user accounts
Detection Strategies
- Monitor clouddriver pod logs for suspicious command patterns or error messages indicating command injection attempts
- Implement runtime security monitoring on Kubernetes clusters to detect unexpected process spawning within Spinnaker pods
- Review Spinnaker audit logs for unusual gitrepo artifact configurations or rapid artifact creation patterns
- Deploy network segmentation policies and alert on clouddriver pods attempting unauthorized network communications
Monitoring Recommendations
- Enable comprehensive audit logging for all Spinnaker artifact operations, particularly those involving gitrepo types
- Implement container runtime monitoring with SentinelOne Singularity to detect anomalous process execution within clouddriver pods
- Configure alerting for any shell or command interpreter processes spawned within Spinnaker service containers
- Monitor for credential access attempts or exfiltration patterns from clouddriver pod environments
How to Mitigate CVE-2026-32604
Immediate Actions Required
- Upgrade Spinnaker immediately to patched versions: 2026.1.0, 2026.0.1, 2025.4.2, or 2025.3.2
- If immediate patching is not possible, disable gitrepo artifact types as a temporary workaround
- Review clouddriver pod logs and audit trails for signs of prior exploitation
- Rotate any credentials that may have been accessible from clouddriver pods
Patch Information
Patched versions are available from the official Spinnaker releases:
For complete vulnerability details and remediation guidance, see the GitHub Security Advisory GHSA-x3j7-7pgj-h87r.
Workarounds
- Disable gitrepo artifact types in Spinnaker configuration until patching is complete
- Implement network policies restricting clouddriver pod egress to only required endpoints
- Apply principle of least privilege to all Spinnaker user accounts to minimize attack surface
- Consider isolating Spinnaker infrastructure in dedicated security boundaries
# Example: Disable gitrepo artifact types in clouddriver configuration
# In clouddriver-local.yml or equivalent configuration file
artifacts:
gitrepo:
enabled: false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
