CVE-2026-44795HIGHCVSS 8.5

Spinnaker has uon-safe yaml deserialization, allowing RCE when using specific types

Published Jun 22, 2026·Updated Jun 22, 2026

Description

### Impact There's an unsafe YAML processing vulnerability that bypasses safe deserialization. This impacts users when when performing: * CloudFormation deployments * CloudFoundry Baking The usage of a non-safe constructor use allows arbitrary loading of Java classes leading to RCE. ### Patches 2025.3.3, 2026.0.3 and 2025.4.4. ### Workarounds Disable the CloudFormation system and cloudfoundry baking operations. ### Resources Join Spinnaker on Slack for more information!

Affected Packages (2)

io.spinnaker.orca:orca-coreMAVEN
Fixed in 2025.3.3
io.spinnaker.rosco:rosco-coreMAVEN
Fixed in 2025.3.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

References

View on NVD Search GitHub Search Google

Get alerted for CVEs like this

Register your stack and get notified within minutes when a matching CVE drops.

Start monitoring free