PatchSiren cyber security CVE debrief
CVE-2026-44795 spinnaker CVE debrief
CVE-2026-44795 is a high-severity vulnerability in Spinnaker, an open-source multi-cloud continuous delivery platform. The issue allows for remote code execution due to unsafe YAML processing, which bypasses safe deserialization when using CloudFormation deployments or CloudFoundry baking. This occurs because of the use of a non-safe constructor that enables arbitrary loading of Java classes.
- Vendor
- spinnaker
- Product
- Unknown
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of Spinnaker, especially those utilizing CloudFormation deployments or CloudFoundry baking, should be aware of this vulnerability. Given its high CVSS score of 8.8, it is crucial for administrators and developers to assess their exposure and take necessary actions to mitigate the risk.
Technical summary
The vulnerability in Spinnaker arises from the unsafe processing of YAML, which allows for the bypass of safe deserialization mechanisms. Specifically, when using CloudFormation deployments or CloudFoundry baking, the platform's handling of YAML enables the arbitrary loading of Java classes. This is possible due to the utilization of a non-safe constructor in the YAML processing pipeline. The result is a remote code execution vulnerability, which has been assigned a CVSS score of 8.8, categorizing it as HIGH severity. The issue has been addressed in Spinnaker versions 2026.1.0, 2026.0.3, 2025.4.4, and 2025.3.3.
Defensive priority
High
Recommended defensive actions
- Inventory and assess Spinnaker deployments for exposure
- Apply patches or upgrades to versions 2026.1.0, 2026.0.3, 2025.4.4, or 2025.3.3
- Implement compensating controls such as restricting access to YAML processing components
- Monitor for suspicious activity related to YAML processing and deserialization
- Review Spinnaker deployment configurations for potential vulnerabilities
- Track and verify changes to YAML processing components
- Document verification of mitigations and compensating controls
Evidence notes
The CVE record and NVD detail provide information on the vulnerability. Additional references include commits and advisories from the Spinnaker GitHub repository. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify the affected versions and configurations, assess exposure, and apply patches or mitigations as needed.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T22:16:41.717Z and has not been modified since then.