CVE-2026-32604: Spinnaker Clouddriver Remote Code Execution (CVSS 9.9)

Overview

A critical remote code execution (RCE) vulnerability has been identified in Spinnaker's clouddriver service, the component responsible for cloud provider integrations including credential management for AWS, GCP, Azure, and other platforms. The flaw, tracked as CVE-2026-32604 with a CVSS score of 9.9, allows a bad actor to execute arbitrary OS-level commands directly on clouddriver pods with minimal effort.

Exploitation can result in exposure of cloud provider credentials, file deletion, resource injection, and full compromise of the CI/CD delivery pipeline.

Affected Versions

Component	Vulnerable Versions
Spinnaker clouddriver	All versions prior to 2026.1.0
Spinnaker clouddriver	All versions prior to 2026.0.1
Spinnaker clouddriver	All versions prior to 2025.4.2
Spinnaker clouddriver	All versions prior to 2025.3.2

Vulnerability Details

CVE ID: CVE-2026-32604
CVSS Score: 9.9 (Critical)
Attack Vector: Network
Authentication Required: None
Component: clouddriver (Spinnaker)

The vulnerability exists in the clouddriver service's handling of user-supplied input. Because clouddriver manages cloud provider authentication tokens and interacts with cloud APIs, a successful exploit grants an attacker access to all configured cloud credentials — including IAM roles, service account keys, and deployment pipelines.

Specific impact includes:

Arbitrary command execution on clouddriver Kubernetes pods
Credential exposure — cloud provider secrets, API keys, and tokens stored in clouddriver
File system manipulation — delete, overwrite, or create files within the pod
Resource injection — modify or inject cloud resources into managed accounts
Lateral movement — pivot from clouddriver into connected cloud environments

Timeline

Date	Event
2026-04-20	CVE published to NVD
2026-04-21	Spinnaker patched releases confirmed

Remediation

Patch immediately. Upgrade to one of the following fixed versions:

2026.1.0 or later
2026.0.1 or later
2025.4.2 or later
2025.3.2 or later

Patches are available via the official Spinnaker release channels and Helm chart repositories.

Immediate Mitigations

If patching is not immediately possible:

Restrict network access to clouddriver — ensure it is not exposed externally and limit pod-to-pod communication via NetworkPolicy
Audit cloud credentials — rotate all cloud provider credentials managed by clouddriver
Review audit logs — check clouddriver logs for unusual command execution or API calls
Enable Kubernetes RBAC — verify clouddriver's service account has least-privilege permissions

References

Overview

Exploitation can result in exposure of cloud provider credentials, file deletion, resource injection, and full compromise of the CI/CD delivery pipeline.

Component

Vulnerable Versions

Spinnaker clouddriver

All versions prior to 2026.1.0

Spinnaker clouddriver

All versions prior to 2026.0.1

Spinnaker clouddriver

All versions prior to 2025.4.2

Spinnaker clouddriver

All versions prior to 2025.3.2

Vulnerability Details

CVE ID: CVE-2026-32604
CVSS Score: 9.9 (Critical)
Attack Vector: Network
Authentication Required: None
Component: clouddriver (Spinnaker)

Specific impact includes:

Arbitrary command execution on clouddriver Kubernetes pods

Credential exposure — cloud provider secrets, API keys, and tokens stored in clouddriver

File system manipulation — delete, overwrite, or create files within the pod

Resource injection — modify or inject cloud resources into managed accounts

Lateral movement — pivot from clouddriver into connected cloud environments

Date

Event

2026-04-20

CVE published to NVD

2026-04-21

Spinnaker patched releases confirmed

Remediation

Patch immediately. Upgrade to one of the following fixed versions:

2026.1.0 or later

2026.0.1 or later

2025.4.2 or later

2025.3.2 or later

Patches are available via the official Spinnaker release channels and Helm chart repositories.

Immediate Mitigations

If patching is not immediately possible:

Restrict network access to clouddriver — ensure it is not exposed externally and limit pod-to-pod communication via NetworkPolicy

Audit cloud credentials — rotate all cloud provider credentials managed by clouddriver

Review audit logs — check clouddriver logs for unusual command execution or API calls

Enable Kubernetes RBAC — verify clouddriver's service account has least-privilege permissions

CVE-2026-32604: Spinnaker Clouddriver Remote Code Execution (CVSS 9.9)

Affected Products

Overview

Affected Versions

Vulnerability Details

Timeline

Remediation

Immediate Mitigations

References

CVE-2026-32613: Spinnaker Echo Spring Expression Language Injection (CVSS 9.9)

CVE-2026-39918: Vvveb CMS Unauthenticated PHP Code Injection via Install Endpoint

CVE-2026-21994: Critical Unauthenticated RCE in Oracle Edge Cloud Infrastructure Designer v0.3.0

CVE-2026-32604: Spinnaker Clouddriver Remote Code Execution (CVSS 9.9)

Affected Products

Overview

Affected Versions

Vulnerability Details

Timeline

Remediation

Immediate Mitigations

References

CVE-2026-32613: Spinnaker Echo Spring Expression Language Injection (CVSS 9.9)

CVE-2026-39918: Vvveb CMS Unauthenticated PHP Code Injection via Install Endpoint

CVE-2026-21994: Critical Unauthenticated RCE in Oracle Edge Cloud Infrastructure Designer v0.3.0