PatchSiren cyber security CVE debrief
CVE-2026-55175 spinnaker CVE debrief
CVE-2026-55175 is a high-severity vulnerability in Spinnaker, an open-source, multi-cloud continuous delivery platform. The issue affects Kustomize bake operations, allowing unsafe YAML tag processing in rosco manifests. This can lead to remote code execution on rosco pods when performing Kustomize bakes. The vulnerability is fixed in versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4. Users of Spinnaker, especially those utilizing Kustomize bake operations in rosco manifests, should be aware of this vulnerability and take immediate action to upgrade to patched versions.
- Vendor
- spinnaker
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of Spinnaker, especially those utilizing Kustomize bake operations in rosco manifests, should be aware of this vulnerability. Immediate attention is required to upgrade to patched versions to prevent potential remote code execution. Operators, platform administrators, vulnerability management teams, and security teams should review their current configurations and ensure that Kustomize bake operations are properly secured.
Technical summary
The vulnerability in Spinnaker's Kustomize bake operations allows for unsafe YAML tag processing, which can be exploited to execute remote code on rosco pods during Kustomize bakes. This issue is addressed in versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4 of Spinnaker. Affected users should review their configurations to prevent potential remote code execution. The vulnerability has a high severity and requires immediate attention to upgrade to patched versions. Users of Spinnaker, especially those utilizing Kustomize bake operations in rosco manifests, should be aware of this vulnerability and take immediate action to secure their environments.
Defensive priority
High priority should be given to upgrading Spinnaker to the latest patched versions. Users should review their current configurations and ensure that Kustomize bake operations are properly secured.
Recommended defensive actions
- Upgrade Spinnaker to version 2026.1.1, 2026.0.3, 2025.4.4, or 2025.3.4, or later.
- Review and restrict Kustomize bake operations to minimize exposure.
- Monitor rosco pods for suspicious activity.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
Evidence notes
The CVE record was published on 2026-07-10T23:16:48.487Z and has not been modified since then. The NVD entry is currently 7.5 HIGH. This vulnerability affects Spinnaker's Kustomize bake operations, allowing unsafe YAML tag processing in rosco manifests, which can lead to remote code execution on rosco pods. The issue is fixed in versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4. Users should verify their current configurations and ensure that Kustomize bake operations are properly secured.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T23:16:48.487Z and has not been modified since then. The NVD entry is currently 7.5 HIGH.