CVE-2026-55175 in Spinnakerinfo

Summary

by MITRE • 07/11/2026

Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4 on their respective release lines, Kustomize bake operations allow unsafe YAML tag processing in rosco manifests. This can lead to remote code execution on rosco pods when performing Kustomize bakes. This issue is fixed in versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/11/2026

The vulnerability affects Spinnaker's Kustomize bake operations within the rosco component, which serves as a continuous delivery platform for multi-cloud environments. This flaw stems from unsafe YAML tag processing that occurs during manifest parsing, creating a critical security risk that can be exploited remotely. The issue specifically impacts versions prior to 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4 across their respective release lines, making numerous installations potentially vulnerable to exploitation.

The technical flaw resides in how rosco handles YAML manifests during Kustomize bake operations, where the system processes unsafe YAML tags that can be manipulated by attackers to execute arbitrary code on the rosco pods. This represents a classic deserialization vulnerability that allows remote code execution through crafted input data. The vulnerability enables attackers to inject malicious YAML content that gets processed by the Kustomize engine, bypassing normal security controls and potentially gaining full control over the affected pods.

The operational impact of this vulnerability is severe as it provides remote attackers with the ability to execute arbitrary commands on rosco pods, which serve as critical components in Spinnaker's continuous delivery pipeline. This could lead to complete compromise of the deployment infrastructure, allowing attackers to access sensitive data, modify deployment configurations, or even take control of entire cloud environments managed through Spinnaker. The vulnerability affects organizations that rely on Kustomize for infrastructure management and automated deployments.

Organizations should immediately upgrade to the patched versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4 to remediate this vulnerability. Additional mitigations include implementing network segmentation to limit access to rosco components, enforcing strict input validation for YAML manifests, and monitoring for suspicious Kustomize operations. Security teams should also consider implementing runtime protection mechanisms and regular security assessments of their Spinnaker deployments.

This vulnerability aligns with CWE-502 which describes unsafe deserialization of untrusted data, and maps to ATT&CK technique T1059.006 for remote code execution through YAML processing. The flaw demonstrates the critical importance of secure configuration management in cloud-native environments where automated deployment systems become prime targets for attackers seeking persistent access to enterprise infrastructure.

Responsible

GitHub M

Reservation

06/16/2026

Disclosure

07/11/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!