{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/spel/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.9,"id":"CVE-2026-32613"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["spel","code-execution","cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSpinnaker is an open-source, multi-cloud continuous delivery platform. The Echo service, like other services within Spinnaker, utilizes Spring Expression Language (SPeL) for processing information, specifically concerning expected artifacts. However, versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 did not restrict the context of SPeL to a set of trusted classes, granting full JVM access, unlike Orca. This unrestricted access enables a user to leverage arbitrary Java classes, facilitating deep system access. This vulnerability allows attackers to execute arbitrary commands, access sensitive files, and potentially compromise the entire Spinnaker environment. Defenders should upgrade to patched versions or disable the Echo service as a workaround to mitigate this critical risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious payload containing a SpEL expression.\u003c/li\u003e\n\u003cli\u003eThis payload is submitted to the Echo service via a network request, likely through a specifically crafted API call involving expected artifacts.\u003c/li\u003e\n\u003cli\u003eThe Echo service processes the request and evaluates the malicious SpEL expression without proper context restrictions.\u003c/li\u003e\n\u003cli\u003eThe SpEL expression leverages Java classes to bypass security controls and gain access to underlying system resources.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the unrestricted JVM access to execute arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eSuccessful command execution allows the attacker to read and write files on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages file access to obtain sensitive information such as credentials or configuration files.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system to move laterally within the Spinnaker environment or target connected cloud resources. The final objective is likely complete control over the Spinnaker deployment and its connected infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows for arbitrary code execution on the Spinnaker server. This can lead to complete system compromise, allowing attackers to steal sensitive data, disrupt continuous delivery pipelines, and potentially gain access to connected cloud environments. Due to the critical nature of Spinnaker in managing deployments, a successful attack could severely impact an organization\u0026rsquo;s ability to deploy and maintain applications, potentially leading to significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Spinnaker instances to versions 2026.1.0, 2026.0.1, 2025.4.2, or 2025.3.2 to patch CVE-2026-32613.\u003c/li\u003e\n\u003cli\u003eAs a temporary workaround, disable the Echo service entirely until the upgrade can be performed, referencing the vendor documentation for disabling specific Spinnaker services.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual HTTP requests to the Echo service endpoints, specifically looking for suspicious patterns or attempts to inject SpEL expressions, using the Sigma rule provided below.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-20T21:19:10Z","date_published":"2026-04-20T21:19:10Z","id":"/briefs/2026-04-spinnaker-spel/","summary":"Unrestricted access to the JVM via Spring Expression Language (SPeL) in Spinnaker's Echo service allows for arbitrary code execution, enabling attackers to invoke commands and access files.","title":"Spinnaker Echo Service Vulnerable to Spring Expression Language Injection","url":"https://feed.craftedsignal.io/briefs/2026-04-spinnaker-spel/"}],"language":"en","title":"CraftedSignal Threat Feed — Spel","version":"https://jsonfeed.org/version/1.1"}