CVE-2026-32613 Overview
CVE-2026-32613 is a critical Code Injection vulnerability affecting Spinnaker, an open source, multi-cloud continuous delivery platform maintained by the Linux Foundation. The vulnerability exists in the Echo service, which uses Spring Expression Language (SpEL) to process information related to expected artifacts. Unlike other Spinnaker services such as Orca, Echo fails to restrict the SpEL evaluation context to a set of trusted classes, instead allowing full JVM access. This oversight enables authenticated attackers to leverage arbitrary Java classes to gain deep system access, execute commands, and access sensitive files.
Critical Impact
Authenticated attackers can achieve remote code execution through unrestricted SpEL evaluation, enabling complete system compromise including command execution and file system access.
Affected Products
- LinuxFoundation Spinnaker versions prior to 2025.3.2
- LinuxFoundation Spinnaker versions prior to 2025.4.2
- LinuxFoundation Spinnaker versions prior to 2026.0.1 and 2026.1.0
Discovery Timeline
- 2026-04-20 - CVE CVE-2026-32613 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-32613
Vulnerability Analysis
The vulnerability stems from an insecure implementation of Spring Expression Language (SpEL) processing within the Spinnaker Echo service. SpEL is a powerful expression language that supports querying and manipulating object graphs at runtime. When properly sandboxed, SpEL can safely evaluate expressions within a constrained context. However, the Echo service implementation failed to implement the necessary restrictions that other Spinnaker components, such as Orca, properly enforce.
Without the trusted class restrictions, an attacker with low-privilege access to the Spinnaker platform can craft malicious SpEL expressions that instantiate arbitrary Java classes. This capability allows for exploitation of dangerous classes such as java.lang.Runtime or java.lang.ProcessBuilder to execute system commands, java.io.File operations to read or write files, and reflection-based attacks to bypass additional security controls.
The attack is particularly severe because it can be launched over the network, requires only low privileges, and the changed scope means it can affect resources beyond the vulnerable component's security scope.
Root Cause
The root cause is CWE-94 (Improper Control of Generation of Code / Code Injection). The Echo service processes expected artifact information using SpEL without implementing a whitelist of allowed classes for expression evaluation. While the Orca service properly restricts the evaluation context to trusted classes, this security control was not implemented in Echo, creating an inconsistent security posture across Spinnaker services.
Attack Vector
The attack vector is network-based, requiring only authenticated low-privilege access to the Spinnaker platform. An attacker can exploit this vulnerability by submitting specially crafted artifact definitions containing malicious SpEL expressions. When Echo processes these artifacts, the expressions are evaluated in an unrestricted JVM context, allowing the attacker to execute arbitrary Java code.
The exploitation flow involves the attacker crafting a malicious payload containing SpEL expressions that reference dangerous Java classes. When this payload is processed through the artifact handling functionality, the SpEL engine evaluates the expression without restriction. This can result in execution of arbitrary commands using Runtime.exec(), file system access for reading sensitive configuration or credentials, network connections to exfiltrate data or establish reverse shells, and complete compromise of the underlying system.
For detailed technical analysis of this vulnerability, refer to the ZeroPath Blog on RCE.
Detection Methods for CVE-2026-32613
Indicators of Compromise
- Unusual SpEL expressions in artifact definitions containing Java class references such as java.lang.Runtime, java.lang.ProcessBuilder, or java.io.File
- Unexpected process spawning from Echo service processes, particularly shell commands or script interpreters
- Anomalous file access patterns from the Echo service, especially reads of sensitive configuration files or credential stores
- Outbound network connections from Echo service to unexpected destinations
Detection Strategies
- Monitor Echo service logs for SpEL evaluation errors or unusual expression patterns that indicate attempted exploitation
- Implement application-level logging to capture artifact definitions being processed, enabling forensic analysis
- Deploy runtime application self-protection (RASP) solutions to detect and block arbitrary code execution attempts
- Use SentinelOne Singularity to detect anomalous process creation and command execution from Java-based services
Monitoring Recommendations
- Configure alerting for any process spawning from Spinnaker Echo service processes
- Monitor for file system access to sensitive paths such as /etc/passwd, credential files, or SSH keys from the Echo container or process
- Implement network monitoring to detect unusual egress traffic from Spinnaker infrastructure
- Review audit logs for artifact submissions containing suspicious patterns or encoded payloads
How to Mitigate CVE-2026-32613
Immediate Actions Required
- Upgrade Spinnaker to patched versions 2025.3.2, 2025.4.2, 2026.0.1, or 2026.1.0 immediately
- If immediate patching is not possible, disable the Echo service entirely as a temporary workaround
- Audit recent artifact submissions for potential exploitation attempts
- Review access controls to ensure only trusted users can submit artifact definitions
Patch Information
Security patches are available in the following Spinnaker releases:
The patches implement proper SpEL evaluation context restrictions in the Echo service, aligning its security posture with other Spinnaker services like Orca. For complete details, see the GitHub Security Advisory GHSA-69rw-45wj-g4v6.
Workarounds
- Disable the Echo service entirely if patching is not immediately possible, as recommended by the vendor
- Implement strict network segmentation to limit exposure of Spinnaker services to trusted networks only
- Apply principle of least privilege to limit which users can submit artifact definitions
- Deploy web application firewalls (WAF) with rules to detect and block SpEL injection patterns
# Disable Echo service in Spinnaker configuration
# In halyard configuration file (typically ~/.hal/config)
hal config notification echo disable
# Or stop the Echo service directly if running standalone
sudo systemctl stop spinnaker-echo
sudo systemctl disable spinnaker-echo
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
