Listen to this Post
The vulnerability resides in Spinnaker’s Echo service, which processes information using Spring Expression Language (SPeL), specifically when handling expected artifacts. Unlike the Orca service, which restricts the expression evaluation context to a set of trusted classes, Echo fails to enforce any restrictions, granting full Java Virtual Machine (JVM) access to the expression parser. This lack of a class whitelist allows an authenticated, low-privileged user to supply a malicious artifact containing an arbitrary SPeL expression. When Echo evaluates this expression, it can instantiate arbitrary Java classes, invoke system commands (e.g., java.lang.Runtime.exec()), and read or write files. The attack is network-based, has low attack complexity, and requires only low-privilege credentials, leading to a CVSS base score of 10.0 (Critical). No user interaction is needed, and the scope is changed, meaning the compromised component can affect resources beyond its original privileges. The vulnerability affects all Spinnaker versions before the patched releases: < 2026.0.1, < 2025.4.2, and < 2025.3.2. A successful exploit allows an attacker to execute arbitrary code on the Echo server, leading to a full system compromise.
DailyCVE Form:
Platform: Spinnaker Echo
Version: <2026.0.1,<2025.4.2,<2025.3.2
Vulnerability : SPeL Code Injection
Severity: CRITICAL (10.0)
date: 2026-04-20
Prediction: Patch date 2026-03-20
What Undercode Say:
Analytics show this vulnerability was discovered by ZeroPath Research and reported on 2026-03-11, with patches released on 2026-03-20. The flaw was made public on 2026-04-20. Due to its maximum severity, organizations are strongly advised to prioritize patching. The following `curl` command can be used to check your Spinnaker version:
curl -v https://<your-gate-host>/version
Alternatively, in the Deck UI, click the Gear Icon and navigate to Settings.
To verify if a system is patched against this specific issue, check the `echo-pipelinetriggers` package version:
Check current version hal config version Or inspect the running Echo pod in Kubernetes kubectl describe pod <echo-pod-name> | grep Image
Exploit:
Proof-of-concept exploits have been released publicly. An attacker with low-privileged authenticated access can craft a malicious artifact that embeds a SPeL expression. For example, by injecting `${T(java.lang.Runtime).getRuntime().exec(‘touch /tmp/pwned’)}` into a field processed by Echo (such as an expected artifact definition), the attacker can execute arbitrary operating system commands on the Echo server. The full technical details and demonstration are available in the ZeroPath AI GitHub repository.
Protection from this CVE
The only complete mitigation is to upgrade Spinnaker to the patched versions: 2026.0.1, 2025.4.2, 2025.3.2, or 2026.1.0. As a temporary workaround, the Echo service can be disabled entirely, though this will break pipeline triggers. No other known workarounds exist. After patching, it is crucial to rotate any credentials that may have been exposed.
Impact:
Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) on the Echo server. This can lead to:
– Full compromise of the Spinnaker deployment.
– Theft of cloud provider credentials stored within Spinnaker, enabling a pivot into production cloud environments.
– Arbitrary file read/write and disruption of continuous delivery pipelines.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

