Home

Description

Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4 on their respective release lines, Kustomize bake operations allow unsafe YAML tag processing in rosco manifests. This can lead to remote code execution on rosco pods when performing Kustomize bakes. This issue is fixed in versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4.

PUBLISHED Reserved 2026-06-16 | Published 2026-07-10 | Updated 2026-07-13 | Assigner GitHub_M




HIGH: 7.5CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-502: Deserialization of Untrusted Data

Product status

>= 2026.1.0, < 2026.1.1
affected

>= 2026.0.0, < 2026.0.3
affected

>= 2025.4.0, < 2025.4.4
affected

< 2025.3.4
affected

References

github.com/...nnaker/security/advisories/GHSA-p68j-q7hf-3qcp

github.com/...ommit/2d75818b85cc4c35144d5e5ed45e7340fcab5dfe

github.com/...ommit/bbc30c9b9034a056e95f012fa1b34e9fd703cae7

github.com/...ommit/de5a7a05af35aee19eb71d289cd0b77f67509009

github.com/...ommit/df32d568e82519d9f3896fc9007baba0077c87fd

github.com/...ommit/f5cec213f8cf207843ed5a6929395960a1ca094f

github.com/spinnaker/spinnaker/releases/tag/rosco-2025.3.4

github.com/spinnaker/spinnaker/releases/tag/rosco-2025.4.4

github.com/spinnaker/spinnaker/releases/tag/rosco-2026.0.3

github.com/spinnaker/spinnaker/releases/tag/rosco-2026.1.1

github.com/spinnaker/spinnaker/releases/tag/rosco-2026.2.0

cve.org (CVE-2026-55175)

nvd.nist.gov (CVE-2026-55175)

Download JSON