CVE-2026-44795

Summary

Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to 2026.1.0, 2026.0.3, 2025.4.4, and 2025.3.3, unsafe YAML processing bypasses safe deserialization when using CloudFormation deployments or CloudFoundry baking. The use of a non-safe constructor allows arbitrary loading of Java classes, leading to remote code execution. This issue is fixed in versions 2026.1.0, 2026.0.3, 2025.4.4, and 2025.3.3.

Affected Software

VendorProductVersion RangeStatus
spinnakerspinnaker>= 2025.4.0, < 2025.4.4affected
spinnakerspinnaker>= 2026.0.0, < 2026.0.3affected
spinnakerspinnaker< 2025.3.3affected

Weaknesses

  • CWE-470: CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
  • CWE-502: CWE-502: Deserialization of Untrusted Data

References