PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44795 spinnaker CVE debrief

CVE-2026-44795 is a high-severity vulnerability in Spinnaker, an open-source multi-cloud continuous delivery platform. The issue allows for remote code execution due to unsafe YAML processing, which bypasses safe deserialization when using CloudFormation deployments or CloudFoundry baking. This occurs because of the use of a non-safe constructor that enables arbitrary loading of Java classes.

Vendor
spinnaker
Product
Unknown
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of Spinnaker, especially those utilizing CloudFormation deployments or CloudFoundry baking, should be aware of this vulnerability. Given its high CVSS score of 8.8, it is crucial for administrators and developers to assess their exposure and take necessary actions to mitigate the risk.

Technical summary

The vulnerability in Spinnaker arises from the unsafe processing of YAML, which allows for the bypass of safe deserialization mechanisms. Specifically, when using CloudFormation deployments or CloudFoundry baking, the platform's handling of YAML enables the arbitrary loading of Java classes. This is possible due to the utilization of a non-safe constructor in the YAML processing pipeline. The result is a remote code execution vulnerability, which has been assigned a CVSS score of 8.8, categorizing it as HIGH severity. The issue has been addressed in Spinnaker versions 2026.1.0, 2026.0.3, 2025.4.4, and 2025.3.3.

Defensive priority

High

Recommended defensive actions

  • Inventory and assess Spinnaker deployments for exposure
  • Apply patches or upgrades to versions 2026.1.0, 2026.0.3, 2025.4.4, or 2025.3.3
  • Implement compensating controls such as restricting access to YAML processing components
  • Monitor for suspicious activity related to YAML processing and deserialization
  • Review Spinnaker deployment configurations for potential vulnerabilities
  • Track and verify changes to YAML processing components
  • Document verification of mitigations and compensating controls

Evidence notes

The CVE record and NVD detail provide information on the vulnerability. Additional references include commits and advisories from the Spinnaker GitHub repository. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify the affected versions and configurations, assess exposure, and apply patches or mitigations as needed.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T22:16:41.717Z and has not been modified since then.