CVE-2026-32613: Spinnaker Echo Spring Expression Language Injection (CVSS 9.9)

Overview

A critical code injection vulnerability has been discovered in Spinnaker's Echo service, the event and notification component responsible for pipeline triggering and artifact processing. Tracked as CVE-2026-32613 with a CVSS score of 9.9, the flaw stems from unrestricted processing of Spring Expression Language (SPeL) expressions during expected artifact evaluation — an attack surface that was secured in other Spinnaker services (such as Orca) but left unguarded in Echo.

An attacker who can influence artifact input to Echo can inject arbitrary SPeL expressions, which are then evaluated server-side with no sandboxing, enabling full remote code execution on the Echo service pod.

Affected Versions

Vulnerability Details

CVE ID: CVE-2026-32613
CVSS Score: 9.9 (Critical)
Attack Vector: Network
Authentication Required: Low (pipeline/artifact control)
Component: echo (Spinnaker notification and event service)
CWE: CWE-94 (Improper Control of Generation of Code)

Root Cause

Spinnaker uses Spring Expression Language (SPeL) to process dynamic values across several services. SPeL is a powerful expression language that, when unrestricted, allows arbitrary Java method invocation and OS-level operations.

The Orca service (pipeline orchestration) had SPeL restrictions applied in earlier versions, but Echo was never updated with equivalent restrictions. Since Echo processes expected artifact definitions — which can contain SPeL expressions — a crafted artifact definition causes Echo to evaluate attacker-controlled SPeL, resulting in code execution.

How SPeL Injection Works

SPeL expressions use the ${} or #{} syntax to evaluate Java expressions at runtime. Spinnaker pipelines use these expressions legitimately for variable substitution and conditional logic. However, SPeL also provides access to the full Java class ecosystem through its T() operator, which allows callers to reference any Java class — including those with system-level capabilities.

When Echo evaluates artifact name expressions without restricting the available class set, an attacker-supplied expression can invoke Java's runtime environment capabilities directly. This gives the attacker the same level of access as the Echo process itself, which typically runs within the Kubernetes service mesh with access to other Spinnaker components.

Impact

Successful exploitation allows an attacker to:

• Execute arbitrary commands on the Echo pod
• Access Spinnaker internal APIs — Echo communicates with Gate, Orca, Front50, and other services
• Trigger unauthorized pipeline executions — send fabricated events to initiate deployments
• Exfiltrate notification secrets — Slack tokens, PagerDuty keys, email credentials configured in Echo
• Move laterally within the Spinnaker service mesh

Timeline

Remediation

Upgrade immediately to a patched version:

• 2026.1.0 or later
• 2026.0.1 or later
• 2025.4.2 or later
• 2025.3.2 or later

The patches restrict SPeL expression evaluation in Echo to a safe subset, consistent with the restrictions already in place in Orca.

Interim Mitigations

If immediate patching is not possible:

1. Restrict artifact input sources — limit which systems can submit artifacts to Echo; use authenticated pipeline triggers only
2. Network-isolate Echo — prevent external or unauthenticated access to Echo's API endpoints
3. Monitor Echo logs — look for unusual process execution or unexpected outbound connections from the Echo pod
4. Review notification configurations — audit and rotate all secrets (Slack, PagerDuty, email) configured in Echo

Relationship to CVE-2026-32604

This CVE was disclosed alongside CVE-2026-32604, a separate critical RCE in Spinnaker's clouddriver service. Organizations running Spinnaker should treat both vulnerabilities as part of a coordinated patch cycle — both carry CVSS 9.9 and affect the same release branches.

References

• NVD Entry — CVE-2026-32613
• Spinnaker GitHub Repository
• CosmicBytez Labs — CVE-2026-32604 (Spinnaker Clouddriver RCE)