Summary
ZeroPath disclosed two Spinnaker remote-code-execution vulnerabilities in April 2026. CVE-2026-32604 affects Clouddriver’s git repository artifact handling, and CVE-2026-32613 affects Echo’s Spring Expression Language handling for expected artifacts.
Both bugs are especially sensitive because Spinnaker is a deployment system. Code execution in Clouddriver or Echo can expose cloud credentials, source control credentials, and the internal service network that Spinnaker relies on. GitHub advisories rate both CVEs at 9.9 critical and list patched releases in the 2025 and 2026 release branches.
Attribution
This entry is self-reported. The ZeroPath write-up supplies the discovery story and says LLMs helped with the work of filtering candidate issues against Spinnaker’s security model. GitHub’s advisories and the NVD records corroborate the vulnerability details and patched versions but do not independently describe the AI workflow.
Why it matters
Spinnaker is a good example of bugflation moving into operational software with complex trust boundaries. The flaws were simple at the sink level, but the impact depended on understanding how Gate, Clouddriver, Echo, stored credentials, and pipeline permissions interact.
For defenders, the lesson is direct: AI-assisted review can surface high-impact issues in orchestration software where exploitability depends on architecture, not only on a single dangerous API call.
References
- ZeroPath: Critical Spinnaker vulns allow RCE and production compromise
- GitHub advisory: GHSA-x3j7-7pgj-h87r / CVE-2026-32604
- GitHub advisory: GHSA-69rw-45wj-g4v6 / CVE-2026-32613
- NVD: CVE-2026-32604
- NVD: CVE-2026-32613
- Spinnaker release 2026.0.1
Catalogued in the Bugflation public ledger. Disagree with the attribution or severity label? Email the desk.