Platform
java
Component
io.spinnaker.clouddriver:clouddriver-artifacts
Fixed in
2025.2.5
2025.3.1
2025.4.1
2025.2.5
2025.3.1
2025.4.1
2025.2.4
CVE-2026-25534 is a critical vulnerability affecting Spinnaker Clouddriver Artifacts versions up to main-99. This flaw allows attackers to bypass URL validation logic, enabling malicious URL manipulation. The vulnerability stems from improper handling of underscores in Java URL objects, effectively circumventing previous mitigation efforts related to CVE-2025-61916. Affected versions include those prior to 2025.2.4, with a fix available in those versions and later.
The impact of CVE-2026-25534 is significant due to its potential for arbitrary code execution. An attacker could craft malicious URLs that bypass the intended sanitation measures, potentially leading to the execution of arbitrary commands on the Spinnaker server. This could result in data breaches, system compromise, and complete control over the deployment pipeline. The vulnerability's impact extends beyond the artifacts component, affecting Orca's fromUrl expression handling as well. Successful exploitation could allow an attacker to inject malicious scripts or commands into the deployment process, leading to widespread damage.
CVE-2026-25534 was publicly disclosed on March 16, 2026. While no public proof-of-concept (PoC) has been released, the bypass nature of the vulnerability and its connection to a previously disclosed CVE (CVE-2025-61916) suggest a potential for exploitation. The vulnerability's criticality warrants immediate attention and patching. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.05% (14% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-25534 is to upgrade Spinnaker Clouddriver Artifacts to version 2025.2.4 or later. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to block URLs containing suspicious underscore patterns. Additionally, review and strengthen URL validation logic within your fromUrl expressions in Orca. Monitor Spinnaker logs for unusual URL patterns or unexpected behavior. After upgrading, confirm the fix by attempting to submit a crafted URL that previously bypassed validation; it should now be properly sanitized.
Update Spinnaker clouddriver and orca to versions 2025.4.1, 2025.3.1, 2025.2.4 or 2026.0.0, or higher. Alternatively, disable the affected artifacts on the system.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25534 is a critical vulnerability in Spinnaker Clouddriver Artifacts allowing attackers to bypass URL validation due to improper handling of underscores. This can lead to potential code execution.
Yes, if you are using Spinnaker Clouddriver Artifacts versions prior to 2025.2.4 (≤main-99), you are affected by this vulnerability.
Upgrade Spinnaker Clouddriver Artifacts to version 2025.2.4 or later. Consider WAF rules as a temporary workaround.
While no public exploits are currently known, the vulnerability's nature and connection to a previous CVE suggest a potential for exploitation.
Refer to the Spinnaker project's security advisories on their official website or GitHub repository for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.