Spinnaker Clouddriver RCE Vulnerability via Gitrepo Artifact Types

A remote code execution vulnerability has been identified in Spinnaker's Clouddriver component, specifically within the 'clouddriver-artifacts-gitrepo' artifact type. This issue affects versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2. The vulnerability arises from improper sanitization of user input related to branches and paths, allowing a bad actor to execute arbitrary commands on the Clouddriver pods. Such exploitation could easily expose credentials, delete files, or inject resources.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on Clouddriver pods, with potential consequences including exposure of credentials, unauthorized file deletion, or injection of resources.

Remediation

Users can upgrade to Spinnaker versions 2026.1.0, 2026.0.1, 2025.4.2, or 2025.3.2, all of which include the necessary patch. Alternatively, as a temporary workaround, Gitrepo artifact types can be disabled.