CVE-2026-25534 CRITICAL

CVE-2026-25534: Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames

Vendor Io.spinnaker.clouddriver
Product clouddriver-artifacts
Weakness CWE-918 · SSRF
Published March 17, 2026
Last update March 17, 2026
View on NVD All CVEs

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

What the vulnerability does

01Description

### Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE (CVE-2025-61916) through the use of carefully crafted URLs. Note, Spinnaker found this not just in that CVE, but in the existing URL validations in Orca fromUrl expression handling. This CVE impacts BOTH artifacts as a result. ### Patches This has been merged and will be available in versions 2025.4.1, 2025.3.1, 2025.2.4 and 2026.0.0. ### Workarounds You can disable the various artifacts on this system to work around these limits.

Key dates

02Disclosure timeline

March 17, 2026 CVE published
March 17, 2026 Record updated