{"id":"CVE-2026-25534","summary":"Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames","details":"### Impact\nSpinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver.  However, they missed that Java URL objects do not correctly handle underscores on parsing.  This led to a bypass of the previous CVE (CVE-2025-61916) through the use of carefully crafted URLs.  Note, Spinnaker found this not just in that CVE, but in the existing URL validations in Orca fromUrl expression handling.  This CVE impacts BOTH artifacts as a result.   \n\n### Patches\nThis has been merged and will be available in versions 2025.4.1, 2025.3.1, 2025.2.4 and 2026.0.0.  \n\n### Workarounds\nYou can disable the various artifacts on this system to work around these limits.","aliases":["GHSA-8r8j-gfhg-fw38"],"modified":"2026-04-10T05:40:38.722473Z","published":"2026-03-17T17:27:41.345Z","related":["GHSA-8r8j-gfhg-fw38","GHSA-vrjc-q2fh-6x9h"],"database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-918"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25534.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25534.json"},{"type":"ADVISORY","url":"https://github.com/spinnaker/spinnaker/security/advisories/GHSA-8r8j-gfhg-fw38"},{"type":"ADVISORY","url":"https://github.com/spinnaker/spinnaker/security/advisories/GHSA-vrjc-q2fh-6x9h"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25534"},{"type":"FIX","url":"https://github.com/spinnaker/spinnaker/commit/7c4737906239a958a468e843239c6785b03d0eda"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/spinnaker/spinnaker","events":[{"introduced":"0"},{"fixed":"b26345757c52cbef2ab3a9b56513873b1caeca7c"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2025.2.4"}]}},{"type":"GIT","repo":"https://github.com/spinnaker/spinnaker","events":[{"introduced":"ed0023ebff55956d438e0a2424c1c1c66e220f41"},{"fixed":"c973386a8c523a53af4f04386134b7e37e2bbfc4"}],"database_specific":{"versions":[{"introduced":"2025.3.0"},{"fixed":"2025.3.1"}]}},{"type":"GIT","repo":"https://github.com/spinnaker/spinnaker","events":[{"introduced":"6465902a6651ea50fa821259c7bbe68475e49251"},{"fixed":"aa57ea001b59ca769dd0920aed64e51e8428ff1f"}],"database_specific":{"versions":[{"introduced":"2025.4.0"},{"fixed":"2025.4.1"}]}}],"versions":["bn-clouddriver-release-2025.2.x-5","bn-deck-kayenta-main-2","bn-deck-kayenta-release-2025.0.x-0","bn-deck-kayenta-release-2025.1.x-0","bn-deck-kayenta-release-2025.2.x-4","bn-deck-kayenta-release-2025.3.x-6","bn-deck-release-2025.0.x-0","bn-deck-release-2025.1.x-0","bn-deck-release-2025.2.x-2","bn-deck-release-2025.3.x-3","bn-deck-release-2025.4.x-4","bn-echo-release-2025.2.x-1","bn-fiat-release-2025.2.x-0","bn-front50-release-2025.2.x-0","bn-gate-release-2025.2.x-3","bn-halyard-release-2025.2.x-6","bn-igor-release-2025.2.x-0","bn-kayenta-release-2025.2.x-9","bn-keel-release-2025.2.x-0","bn-orca-release-2025.2.x-9","bn-rosco-release-2025.2.x-0","bn-spin-release-2025.0.x-0","bn-spin-release-2025.1.x-0","bn-spin-release-2025.2.x-0","bn-spin-release-2025.3.x-3","bn-spin-release-2025.4.x-0","bn-spinnaker-libraries-release-2025.2.x-16","bn-spinnaker-release-2025.2.x-3","bn-spinnaker-release-2025.3.x-0","bn-spinnaker-release-2025.4.x-0","clouddriver-2025.0-0","clouddriver-2025.1-0","clouddriver-2025.1.0","clouddriver-2025.2-0","clouddriver-2025.2-1","clouddriver-2025.2-2","clouddriver-2025.2-3","clouddriver-2025.2-4","clouddriver-2025.2-5","clouddriver-2025.2.0","clouddriver-2025.2.1","clouddriver-2025.2.2","clouddriver-2025.2.3","clouddriver-2025.2.4","clouddriver-2025.3-2","clouddriver-2025.3-3","clouddriver-2025.3.0","clouddriver-2025.3.1","clouddriver-2025.4-0","clouddriver-2025.4-1","clouddriver-2025.4-2","clouddriver-2025.4-3","clouddriver-2025.4.0","clouddriver-2025.4.1","clouddriver-main-10","clouddriver-main-11","clouddriver-main-12","clouddriver-main-13","clouddriver-main-14","clouddriver-main-15","clouddriver-main-16","clouddriver-main-17","clouddriver-main-18","clouddriver-main-19","clouddriver-main-2","clouddriver-main-20","clouddriver-main-21","clouddriver-main-22","clouddriver-main-23","clouddriver-main-24","clouddriver-main-25","clouddriver-main-26","clouddriver-main-27","clouddriver-main-28","clouddriver-main-29","clouddriver-main-3","clouddriver-main-30","clouddriver-main-31","clouddriver-main-32","clouddriver-main-33","clouddriver-main-34","clouddriver-main-35","clouddriver-main-36","clouddriver-main-37","clouddriver-main-38","clouddriver-main-39","clouddriver-main-4","clouddriver-main-40","clouddriver-main-41","clouddriver-main-42","clouddriver-main-43","clouddriver-main-5","clouddriver-main-6","clouddriver-main-60","clouddriver-main-7","clouddriver-main-8","clouddriver-main-9","deck-2025.1-0","deck-2025.1.0","deck-2025.2-0","deck-2025.2-2","deck-2025.2.0","deck-2025.2.1","deck-2025.2.2","deck-2025.2.3","deck-2025.2.4","deck-2025.3-3","deck-2025.3.0","deck-2025.3.1","deck-2025.4-0","deck-2025.4-4","deck-2025.4.0","deck-2025.4.1","deck-kayenta-2025.1-0","deck-kayenta-2025.1.0","deck-kayenta-2025.2-0","deck-kayenta-2025.2.0","deck-kayenta-2025.2.1","deck-kayenta-2025.2.2","deck-kayenta-2025.2.3","deck-kayenta-2025.3.0","deck-kayenta-2025.4-0","deck-kayenta-2025.4.0","deck-kayenta-main-2","deck-main-2","echo-2025.0-0","echo-2025.1-0","echo-2025.1.0","echo-2025.2-0","echo-2025.2-1","echo-2025.2.0","echo-2025.2.1","echo-2025.2.2","echo-2025.2.3","echo-2025.2.4","echo-2025.3-1","echo-2025.3.0","echo-2025.3.1","echo-2025.4-0","echo-2025.4-1","echo-2025.4.0","echo-2025.4.1","echo-main-1","echo-main-10","echo-main-11","echo-main-12","echo-main-13","echo-main-14","echo-main-15","echo-main-16","echo-main-17","echo-main-18","echo-main-19","echo-main-2","echo-main-20","echo-main-21","echo-main-22","echo-main-23","echo-main-24","echo-main-25","echo-main-26","echo-main-27","echo-main-28","echo-main-3","echo-main-37","echo-main-4","echo-main-5","echo-main-6","echo-main-7","echo-main-8","fiat-2025.0-0","fiat-2025.1-0","fiat-2025.1.0","fiat-2025.2-0","fiat-2025.2.0","fiat-2025.2.1","fiat-2025.2.2","fiat-2025.2.3","fiat-2025.2.4","fiat-2025.3-1","fiat-2025.3.0","fiat-2025.3.1","fiat-2025.4-0","fiat-2025.4-1","fiat-2025.4.0","fiat-2025.4.1","fiat-main-1","fiat-main-10","fiat-main-11","fiat-main-12","fiat-main-13","fiat-main-14","fiat-main-15","fiat-main-16","fiat-main-17","fiat-main-18","fiat-main-19","fiat-main-2","fiat-main-20","fiat-main-21","fiat-main-22","fiat-main-3","fiat-main-30","fiat-main-4","fiat-main-5","fiat-main-6","fiat-main-8","fiat-main-9","front50-2025.0-0","front50-2025.1-0","front50-2025.1.0","front50-2025.2-0","front50-2025.2.0","front50-2025.2.1","front50-2025.2.2","front50-2025.2.3","front50-2025.2.4","front50-2025.3-1","front50-2025.3.0","front50-2025.3.1","front50-2025.4-0","front50-2025.4-1","front50-2025.4.0","front50-2025.4.1","front50-main-1","front50-main-10","front50-main-11","front50-main-12","front50-main-13","front50-main-14","front50-main-15","front50-main-16","front50-main-17","front50-main-18","front50-main-19","front50-main-2","front50-main-20","front50-main-21","front50-main-22","front50-main-23","front50-main-3","front50-main-34","front50-main-4","front50-main-5","front50-main-6","front50-main-8","front50-main-9","gate-2025.0-0","gate-2025.1-0","gate-2025.1.0","gate-2025.2-0","gate-2025.2-1","gate-2025.2-2","gate-2025.2-3","gate-2025.2.0","gate-2025.2.1","gate-2025.2.2","gate-2025.2.3","gate-2025.2.4","gate-2025.3-1","gate-2025.3.0","gate-2025.3.1","gate-2025.4-0","gate-2025.4-1","gate-2025.4.0","gate-2025.4.1","gate-main-1","gate-main-10","gate-main-11","gate-main-12","gate-main-13","gate-main-14","gate-main-15","gate-main-16","gate-main-17","gate-main-18","gate-main-19","gate-main-2","gate-main-20","gate-main-21","gate-main-22","gate-main-23","gate-main-24","gate-main-25","gate-main-26","gate-main-27","gate-main-28","gate-main-29","gate-main-3","gate-main-4","gate-main-46","gate-main-5","gate-main-6","gate-main-8","gate-main-9","halyard-2025.0-0","halyard-2025.1-0","halyard-2025.1.0","halyard-2025.2-0","halyard-2025.2-1","halyard-2025.2-2","halyard-2025.2-3","halyard-2025.2-4","halyard-2025.2-5","halyard-2025.2-6","halyard-2025.2.0","halyard-2025.2.1","halyard-2025.2.2","halyard-2025.2.3","halyard-2025.2.4","halyard-2025.3-1","halyard-2025.3-2","halyard-2025.3-3","halyard-2025.3-4","halyard-2025.3.0","halyard-2025.3.1","halyard-2025.4-0","halyard-2025.4-1","halyard-2025.4-2","halyard-2025.4-3","halyard-2025.4-4","halyard-2025.4.0","halyard-2025.4.1","halyard-main-1","halyard-main-10","halyard-main-11","halyard-main-12","halyard-main-13","halyard-main-14","halyard-main-15","halyard-main-16","halyard-main-17","halyard-main-18","halyard-main-19","halyard-main-2","halyard-main-20","halyard-main-21","halyard-main-22","halyard-main-23","halyard-main-24","halyard-main-25","halyard-main-26","halyard-main-27","halyard-main-28","halyard-main-29","halyard-main-3","halyard-main-30","halyard-main-31","halyard-main-32","halyard-main-33","halyard-main-34","halyard-main-35","halyard-main-36","halyard-main-37","halyard-main-38","halyard-main-39","halyard-main-4","halyard-main-40","halyard-main-41","halyard-main-42","halyard-main-43","halyard-main-44","halyard-main-45","halyard-main-5","halyard-main-6","halyard-main-65","halyard-main-7","halyard-main-8","igor-2025.0-0","igor-2025.1-0","igor-2025.1.0","igor-2025.2-0","igor-2025.2.0","igor-2025.2.1","igor-2025.2.2","igor-2025.2.3","igor-2025.2.4","igor-2025.3-1","igor-2025.3.0","igor-2025.3.1","igor-2025.4-0","igor-2025.4-1","igor-2025.4.0","igor-2025.4.1","igor-main-1","igor-main-10","igor-main-11","igor-main-12","igor-main-13","igor-main-14","igor-main-15","igor-main-16","igor-main-17","igor-main-18","igor-main-19","igor-main-2","igor-main-20","igor-main-21","igor-main-22","igor-main-23","igor-main-24","igor-main-25","igor-main-26","igor-main-27","igor-main-3","igor-main-36","igor-main-4","igor-main-5","igor-main-6","igor-main-8","kayenta-2025.0-0","kayenta-2025.1-0","kayenta-2025.1.0","kayenta-2025.2-0","kayenta-2025.2-1","kayenta-2025.2-2","kayenta-2025.2-3","kayenta-2025.2-4","kayenta-2025.2-5","kayenta-2025.2-6","kayenta-2025.2-7","kayenta-2025.2-8","kayenta-2025.2-9","kayenta-2025.2.0","kayenta-2025.2.1","kayenta-2025.2.2","kayenta-2025.2.3","kayenta-2025.2.4","kayenta-2025.3-1","kayenta-2025.3-2","kayenta-2025.3.0","kayenta-2025.3.1","kayenta-2025.4-0","kayenta-2025.4-1","kayenta-2025.4-2","kayenta-2025.4-3","kayenta-2025.4.0","kayenta-2025.4.1","kayenta-main-1","kayenta-main-10","kayenta-main-11","kayenta-main-12","kayenta-main-13","kayenta-main-14","kayenta-main-15","kayenta-main-16","kayenta-main-17","kayenta-main-18","kayenta-main-19","kayenta-main-2","kayenta-main-20","kayenta-main-21","kayenta-main-22","kayenta-main-23","kayenta-main-24","kayenta-main-25","kayenta-main-26","kayenta-main-27","kayenta-main-28","kayenta-main-29","kayenta-main-3","kayenta-main-30","kayenta-main-31","kayenta-main-32","kayenta-main-33","kayenta-main-34","kayenta-main-35","kayenta-main-36","kayenta-main-37","kayenta-main-4","kayenta-main-5","kayenta-main-6","kayenta-main-69","kayenta-main-7","kayenta-main-9","keel-2025.0-0","keel-2025.1-0","keel-2025.1.0","keel-2025.2-0","keel-2025.2.0","keel-2025.2.1","keel-2025.2.2","keel-2025.2.3","keel-2025.2.4","keel-2025.3-1","keel-2025.3.0","keel-2025.3.1","keel-2025.4-0","keel-2025.4-1","keel-2025.4.0","keel-2025.4.1","keel-main-1","keel-main-10","keel-main-11","keel-main-12","keel-main-13","keel-main-14","keel-main-15","keel-main-16","keel-main-17","keel-main-18","keel-main-19","keel-main-2","keel-main-20","keel-main-21","keel-main-22","keel-main-23","keel-main-3","keel-main-31","keel-main-4","keel-main-5","keel-main-6","keel-main-8","keel-main-9","orca-2025.0-0","orca-2025.1-0","orca-2025.1.0","orca-2025.2-0","orca-2025.2-1","orca-2025.2-2","orca-2025.2-3","orca-2025.2-4","orca-2025.2-5","orca-2025.2-6","orca-2025.2-7","orca-2025.2-8","orca-2025.2-9","orca-2025.2.0","orca-2025.2.1","orca-2025.2.2","orca-2025.2.3","orca-2025.2.4","orca-2025.3-1","orca-2025.3-2","orca-2025.3.0","orca-2025.3.1","orca-2025.4-0","orca-2025.4-1","orca-2025.4-2","orca-2025.4-3","orca-2025.4.0","orca-2025.4.1","orca-main-1","orca-main-10","orca-main-11","orca-main-12","orca-main-13","orca-main-14","orca-main-15","orca-main-16","orca-main-17","orca-main-18","orca-main-19","orca-main-2","orca-main-20","orca-main-21","orca-main-22","orca-main-23","orca-main-24","orca-main-25","orca-main-26","orca-main-27","orca-main-28","orca-main-3","orca-main-30","orca-main-31","orca-main-32","orca-main-33","orca-main-34","orca-main-35","orca-main-36","orca-main-4","orca-main-5","orca-main-6","orca-main-68","orca-main-7","orca-main-9","rosco-2025.0-0","rosco-2025.1-0","rosco-2025.1.0","rosco-2025.2-0","rosco-2025.2.0","rosco-2025.2.1","rosco-2025.2.2","rosco-2025.2.3","rosco-2025.2.4","rosco-2025.3-1","rosco-2025.3.0","rosco-2025.3.1","rosco-2025.4-1","rosco-2025.4-2","rosco-2025.4.0","rosco-2025.4.1","rosco-main-1","rosco-main-10","rosco-main-11","rosco-main-12","rosco-main-14","rosco-main-15","rosco-main-16","rosco-main-17","rosco-main-18","rosco-main-19","rosco-main-2","rosco-main-20","rosco-main-21","rosco-main-22","rosco-main-3","rosco-main-30","rosco-main-4","rosco-main-5","rosco-main-6","rosco-main-8","rosco-main-9","spinnaker-release-2024.0.0","spinnaker-release-2025.2.0","spinnaker-release-2025.2.1","spinnaker-release-2025.2.2","spinnaker-release-2025.2.3","spinnaker-release-2025.3.0","spinnaker-release-2025.4.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25534.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L"}]}