Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to 2026.1.0, 2026.0.3, 2025.4.4, and 2025.3.3, unsafe YAML processing bypasses safe deserialization when using CloudFormation deployments or CloudFoundry baking. The use of a non-safe constructor allows arbitrary loading of Java classes, leading to remote code execution. This issue is fixed in versions 2026.1.0, 2026.0.3, 2025.4.4, and 2025.3.3.

Project Subscriptions

Vendors Products
Spinnaker Subscribe
Spinnaker Subscribe
Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c8q4-9h32-2ww8 Spinnaker has uon-safe yaml deserialization, allowing RCE when using specific types
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Sat, 11 Jul 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Spinnaker
Spinnaker spinnaker
Vendors & Products Spinnaker
Spinnaker spinnaker

Fri, 10 Jul 2026 22:00:00 +0000

Type Values Removed Values Added
Description Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to 2026.1.0, 2026.0.3, 2025.4.4, and 2025.3.3, unsafe YAML processing bypasses safe deserialization when using CloudFormation deployments or CloudFoundry baking. The use of a non-safe constructor allows arbitrary loading of Java classes, leading to remote code execution. This issue is fixed in versions 2026.1.0, 2026.0.3, 2025.4.4, and 2025.3.3.
Title Spinnaker: Non-safe yaml deserialization allowing RCE when using specific types
Weaknesses CWE-470
CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-10T21:49:27.287Z

Reserved: 2026-05-07T19:20:44.693Z

Link: CVE-2026-44795

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-11T03:45:16Z

Weaknesses