Primary

Context

Spinnaker Echo Spring Expression Language Remote Code Execution Vulnerability

Vulnerability

A remote code execution vulnerability exists in Spinnaker Echo versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2. The issue arises because Echo, unlike other Spinnaker services, does not restrict Spring Expression Language (SPeL) context to trusted classes, allowing full access to the Java Virtual Machine (JVM). This lack of restriction enables users to invoke arbitrary Java classes, potentially leading to execution of commands, access to files, and other system-level actions.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Spinnaker Echo is running.

Remediation

Users can upgrade to Spinnaker Echo versions 2026.1.0, 2026.0.1, 2025.4.2, or 2025.3.2 to address this vulnerability. Alternatively, Echo can be disabled entirely.

Added: Apr 20, 2026, 9:27 PM

Updated: Apr 20, 2026, 9:27 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

4.7

remediation

0.0

relevance

6.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

4.7

remediation

0.0

relevance

6.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Spinnaker Echo Spring Expression Language Remote Code Execution Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating