|
|
DAILY BRIEF · APRIL 21, 2026
|
|
Five CVSS 9.8+ vulnerabilities dropped today, and none of them are being exploited in the wild yet. That "yet" is doing a lot of heavy lifting. Top of the list: CVE-2026-41329, a CVSS 9.9 sandbox escape in OpenClaw that lets a low-privilege attacker escalate through broken heartbeat context validation. Spinnaker gets hit twice, Doorman has a laughably simple privilege escalation, and NewSoftOA rounds it out with unauthenticated command injection. No fires right now, but this is a "patch before Friday" kind of day.
|
|
TOP THREAT TODAY
|
|
An attacker can escape the OpenClaw sandbox and escalate privileges by manipulating heartbeat context inheritance and the senderIsOwner parameter. The sandbox validation is broken, so a low-privilege attacker can gain elevated access. No exploitation in the wild yet, but a CVSS 9.9 sandbox escape is the kind of bug that gets weaponized fast.
Who's affected: Anyone running OpenClaw versions before 2026.3.31
| |
Patch immediately.
Upgrade OpenClaw to version 2026.3.31 or later.
|
|
|
|
CVE-2026-32613
CVSS 9.9
|
CRITICAL
|
Spinnaker's Echo service processes Spring Expression Language (SpEL) expressions without restricting which Java classes can be invoked. That means an attacker with access to artifact definitions can run arbitrary commands on the host, read files, and steal credentials. CVSS 9.9, not yet exploited in the wild, but this is essentially unrestricted RCE if you use Echo.
Affects: Teams running Spinnaker with the Echo service enabled on versions before 2026.1.0, 2026.0.1, 2025.4.2, or 2025.3.2
| |
Patch immediately.
Update Spinnaker to 2026.1.0, 2026.0.1, 2025.4.2, or 2025.3.2. If you can't patch right now, disable Echo entirely as a stopgap.
|
|
|
CVE-2026-32604
CVSS 9.9
|
CRITICAL
|
An attacker can run arbitrary commands on Spinnaker's clouddriver pods by abusing the gitrepo artifact type. That gives them access to stored credentials, the ability to delete files, and the ability to inject resources into your deployment pipeline. CVSS 9.9, not exploited in the wild yet.
Affects: Teams running Spinnaker with gitrepo artifact types enabled on versions before 2026.1.0, 2026.0.1, 2025.4.2, or 2025.3.2
| |
Patch immediately.
Update Spinnaker to 2026.1.0, 2026.0.1, 2025.4.2, or 2025.3.2. If patching isn't immediate, disable gitrepo artifact types as a workaround.
|
|
|
CVE-2026-30269
CVSS 9.9
|
CRITICAL
|
Any authenticated user in Doorman can promote themselves to a high-privilege role by sending a simple update to /platform/user/{username} with a new role value. The API doesn't check whether the user has permission to change their own role. CVSS 9.9. This is trivial to exploit: one crafted API call and a regular user becomes privileged.
Affects: Anyone running Doorman v0.1.0 or v1.0.2
| |
Patch immediately.
Upgrade Doorman to a patched version that enforces manage_users permission checks on self-updates. Until then, restrict network access to the /platform/user/ endpoint.
|
|
|
CVE-2026-5965
CVSS 9.8
|
CRITICAL
|
NewSoftOA has an OS command injection bug that lets an unauthenticated local attacker run arbitrary commands on the server. No login required. CVSS 9.8. The "local attacker" requirement lowers the risk slightly compared to a remotely exploitable bug, but if anyone untrusted has local network or shell access, this is game over.
Affects: Anyone running NewSoftOA (developed by NewSoft)
| |
Patch within 24 hours.
Apply the latest NewSoftOA update from NewSoft. Until patched, restrict local access to the server and audit for signs of command injection.
|
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
|
