CVE-2026-55175
7.5
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4 on their respective release lines, Kustomize bake operations allow unsafe YAML tag processing in rosco manifests. This can lead to remote code execution on rosco pods when performing Kustomize bakes. This issue is fixed in versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| spinnaker | spinnaker | >= 2026.1.0, < 2026.1.1 | affected |
| spinnaker | spinnaker | >= 2026.0.0, < 2026.0.3 | affected |
| spinnaker | spinnaker | >= 2025.4.0, < 2025.4.4 | affected |
| spinnaker | spinnaker | < 2025.3.4 | affected |
Weaknesses
- CWE-502: CWE-502: Deserialization of Untrusted Data
References
- https://github.com/spinnaker/spinnaker/security/advisories/GHSA-p68j-q7hf-3qcp
- https://github.com/spinnaker/spinnaker/commit/2d75818b85cc4c35144d5e5ed45e7340fcab5dfe
- https://github.com/spinnaker/spinnaker/commit/bbc30c9b9034a056e95f012fa1b34e9fd703cae7
- https://github.com/spinnaker/spinnaker/commit/de5a7a05af35aee19eb71d289cd0b77f67509009
- https://github.com/spinnaker/spinnaker/commit/df32d568e82519d9f3896fc9007baba0077c87fd
- https://github.com/spinnaker/spinnaker/commit/f5cec213f8cf207843ed5a6929395960a1ca094f
- https://github.com/spinnaker/spinnaker/releases/tag/rosco-2025.3.4
- https://github.com/spinnaker/spinnaker/releases/tag/rosco-2025.4.4
- https://github.com/spinnaker/spinnaker/releases/tag/rosco-2026.0.3
- https://github.com/spinnaker/spinnaker/releases/tag/rosco-2026.1.1
- https://github.com/spinnaker/spinnaker/releases/tag/rosco-2026.2.0
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.