Spinnaker URL Validation Bypass (CVE-2026-25534)

Overview

A critical security vulnerability has been identified in Spinnaker, the continuous delivery platform. Tracked as CVE-2026-25534, this flaw allows an attacker to bypass URL validation safeguards by using a carefully crafted URL containing underscores. This bypasses a previous fix (CVE-2025-61916) and poses a significant risk to the integrity of deployment pipelines.

Vulnerability Details

The vulnerability stems from how Java’s standard URL object parses addresses. While Spinnaker implemented enhanced URL validation logic to sanitize user input, this logic did not account for the fact that Java’s parser does not correctly handle underscores in certain contexts. An attacker can exploit this parsing discrepancy to submit a malicious URL that passes Spinnaker’s validation checks but is interpreted differently by downstream components, leading to a security bypass.

This issue was discovered not only in the Clouddriver service-which was the focus of the previous CVE-but also within the fromUrl expression handling in the Orca service. Consequently, both core Spinnaker artifacts are affected.

Impact and Severity

This vulnerability is rated CRITICAL with a CVSS score of 9.1. Successful exploitation could allow an attacker to:

• Bypass security controls intended to restrict network access from the Spinnaker deployment.
• Potentially trigger server-side request forgery (SSRF) attacks, forcing Spinnaker to make requests to internal or arbitrary external systems.
• Compromise the continuous delivery pipeline, which could lead to further system compromise or data exposure.

For context on how such vulnerabilities can lead to real-world incidents, you can review historical breach reports.

Remediation and Mitigation

The primary and strongly recommended action is to apply the official patches.

Patched Versions:

• Spinnaker 2026.0.0
• Spinnaker 2025.4.1
• Spinnaker 2025.3.1
• Spinnaker 2025.2.4

If immediate patching is not possible, the only available workaround is to disable the affected artifacts (specific Clouddriver and Orca functionalities). However, this is likely to severely impact pipeline operations and is not a sustainable solution.

Conclusion

CVE-2026-25534 is a severe flaw that undermines the security validation in a key continuous delivery platform. Organizations using Spinnaker should prioritize upgrading to a patched version to close this validation bypass. Staying informed on such critical updates is crucial for maintaining pipeline security; you can follow the latest developments in our security news section.