Skip to content
Verified reproduction

CVE-2026-55175: Spinnaker Kustomize bake unsafe YAML tag processing leading to RCE

CVE-2026-55175 is verified against spinnaker/spinnaker · github affected versions: <2026.1.1, <2026.0.3, <2025.4.4, <2025.3.4 vulnerability class: RCE This high reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00289.

REPRO-2026-00289 spinnaker/spinnaker · github RCE Variant found Known vulnerability Jul 15, 2026 CVE entry .txt
Severity HIGH
Confidence HIGH
Reproduced in 15m 51s
Tool calls 149
Spend $2.10
Affected <2026.1.1, <2026.0.3, <2025.4.4, <2025.3.4
$ pruva-verify REPRO-2026-00289
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00289/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

Spinnaker prior to 2026.1.1/2026.0.3/2025.4.4/2025.3.4 allows unsafe YAML tag processing in Kustomize bake operations within rosco manifests, which can lead to remote code execution on rosco pods when performing Kustomize bakes.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support · claim contract · reproduction · judge · variant analysis

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.