Search
Find a vulnerability
Search criteria
Related vulnerabilities
GHSA-C8Q4-9H32-2WW8
Vulnerability from github – Published: 2026-06-22 20:43 – Updated: 2026-06-22 20:43
VLAI
Summary
Spinnaker has uon-safe yaml deserialization, allowing RCE when using specific types
Details
Impact
There's an unsafe YAML processing vulnerability that bypasses safe deserialization. This impacts users when when performing: * CloudFormation deployments * CloudFoundry Baking
The usage of a non-safe constructor use allows arbitrary loading of Java classes leading to RCE.
Patches
2025.3.3, 2026.0.3 and 2025.4.4.
Workarounds
Disable the CloudFormation system and cloudfoundry baking operations.
Resources
Join Spinnaker on Slack for more information!
Severity
8.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.spinnaker.rosco:rosco-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2025.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "io.spinnaker.orca:orca-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2025.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "io.spinnaker.rosco:rosco-core"
},
"ranges": [
{
"events": [
{
"introduced": "2025.4.0"
},
{
"fixed": "2025.4.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "io.spinnaker.rosco:rosco-core"
},
"ranges": [
{
"events": [
{
"introduced": "2026.0.0"
},
{
"fixed": "2026.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "io.spinnaker.orca:orca-core"
},
"ranges": [
{
"events": [
{
"introduced": "2025.4.0"
},
{
"fixed": "2025.4.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "io.spinnaker.orca:orca-core"
},
"ranges": [
{
"events": [
{
"introduced": "2026.0.0"
},
{
"fixed": "2026.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44795"
],
"database_specific": {
"cwe_ids": [
"CWE-470",
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-22T20:43:37Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nThere\u0027s an unsafe YAML processing vulnerability that bypasses safe deserialization. This impacts users when when performing:\n* CloudFormation deployments\n* CloudFoundry Baking\n\nThe usage of a non-safe constructor use allows arbitrary loading of Java classes leading to RCE.\n\n### Patches\n 2025.3.3, 2026.0.3 and 2025.4.4.\n\n### Workarounds\nDisable the CloudFormation system and cloudfoundry baking operations.\n\n### Resources\nJoin Spinnaker on Slack for more information!",
"id": "GHSA-c8q4-9h32-2ww8",
"modified": "2026-06-22T20:43:37Z",
"published": "2026-06-22T20:43:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-c8q4-9h32-2ww8"
},
{
"type": "PACKAGE",
"url": "https://github.com/spinnaker/spinnaker"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Spinnaker has uon-safe yaml deserialization, allowing RCE when using specific types"
}