Daily Digest April 21, 2026 · 2 min read · 5 CVEs · Issue 01 By PatchDay Alert

Four perfect 10s and a 9.9 sandbox escape: Spinnaker, Perl, and OpenClaw all need attention

Two Spinnaker RCEs (CVE-2026-32613, CVE-2026-32604) let attackers run code through pipeline expressions and gitrepo artifact injection. A 9.9 OpenClaw sandbox escape (CVE-2026-41329) bypasses privilege boundaries. Perl's Storable and Net::Dropbear round out the list with legacy crypto and deserialization bugs, both CVSS 10.0. None are exploited in the wild yet.

Patch now

Within 24h

This week

Exploited

Four perfect 10.0s landed today, plus a 9.9 sandbox escape. The two Spinnaker bugs are the ones to move on first: both give attackers full remote code execution through pipeline definitions, no auth bypass needed. None of these are exploited in the wild yet, but that CVSS density deserves your attention this morning.

Today's patch call

Schedule this week: Exchange. Upgrade Net::Dropbear to version 0.14 or later via CPAN, then redeploy any services that link against it.
Schedule this week: CVE-2017-20230. Upgrade the Storable module to 3.05 or later, and audit code paths to confirm you aren't thawing untrusted input.
Patch within 24h: Spinnaker. Update the echo-pipelinetriggers artifact to the patched version and restrict who can create or edit pipeline definitions until the update is live.
Patch within 24h: Spinnaker. Update clouddriver-artifacts-gitrepo to the patched release, and as a stopgap, disable or restrict gitrepo artifact definitions until the fix is deployed.
Patch within 24h: CVE-2026-41329. Upgrade OpenClaw to version 2026.3.31 or later and review any sandbox-hosted workloads for signs of unexpected privilege escalation.

Today's CVEs

Sorted by urgency

Search by CVE Vendor/Product Platform Urgency Exploited Fix status

CVE-2025-15638

NVD

10.0

CVSS

Patch this week CRITICAL

The Perl module Net::Dropbear (before 0.14) ships a bundled copy of libtomcrypt v1.18.1 or older, which carries known crypto bugs from 2016 and 2018. An attacker could exploit weaknesses in the crypto library to undermine authentication or key exchange. The CVSS 10.0 score reflects worst-case impact, but real-world risk depends on whether your app exposes Dropbear's SSH interface directly.

Included because: prioritization factors: exploitation, exposure, prevalence, patch quality, and blast radius
Affected estate: Perl developers or ops teams running applications that depend on Net::Dropbear (versions before 0.14)
How to check: Check inventory, endpoint management, or the vendor console for affected Exchange versions.
Action: Upgrade Net::Dropbear to version 0.14 or later via CPAN, then redeploy any services that link against it.
Urgency: Patch this week
Why it matters: The Perl module Net::Dropbear (before 0
Source: NVD

Evidence trail

NVD: View source

CVE-2017-20230

NVD

10.0

CVSS

Patch this week CRITICAL

Perl's Storable module before version 3.05 has a stack overflow triggered by a signed/unsigned mismatch when reading class name lengths. An attacker who can feed crafted serialized data to your Perl process can crash it or potentially run arbitrary code. Exploitation requires the app to deserialize untrusted Storable blobs, so if you only deserialize data you control, your exposure is lower.

Included because: prioritization factors: exploitation, exposure, prevalence, patch quality, and blast radius
Affected estate: Anyone running Perl applications that use Storable (before 3.05) to deserialize data from untrusted sources
How to check: Check inventory, endpoint management, or the vendor console for affected product versions.
Action: Upgrade the Storable module to 3.05 or later, and audit code paths to confirm you aren't thawing untrusted input.
Urgency: Patch this week
Why it matters: Perl's Storable module before version 3
Source: NVD

Evidence trail

NVD: View source

CVE-2026-32613

GitHub

10.0

CVSS EPSS 0.06%

Patch within 24h CRITICAL

Spinnaker's expression parsing in the Echo pipeline triggers component doesn't restrict context handling, which lets an attacker inject expressions that execute arbitrary code on the server. No authentication bypass is needed if the attacker can submit or modify a pipeline definition. CVSS 10.0, not yet exploited in the wild, and EPSS is low (0.00057), but the impact is full remote code execution.

Included because: prioritization factors: exploitation, exposure, prevalence, patch quality, and blast radius
Affected estate: Teams running Spinnaker with the echo-pipelinetriggers component
How to check: Check inventory, endpoint management, or the vendor console for affected Spinnaker versions.
Action: Update the echo-pipelinetriggers artifact to the patched version and restrict who can create or edit pipeline definitions until the update is live.
Urgency: Patch within 24 hours
Why it matters: Spinnaker's expression parsing in the Echo pipeline triggers component doesn't restrict context handling, which lets an attacker inject expressions that execute arbitrary code on the server
Source: GitHub

Evidence trail

NVD: View source

CVE-2026-32604

GitHub

10.0

CVSS EPSS 0.18%

Patch within 24h CRITICAL

If you use Spinnaker's gitrepo artifact type, an attacker can inject commands through the branch name or file path fields. The clouddriver-artifacts-gitrepo module doesn't properly sanitize user input, so a crafted pipeline config gives the attacker remote code execution on the Clouddriver host. CVSS 10.0, not yet exploited in the wild.

Included because: prioritization factors: exploitation, exposure, prevalence, patch quality, and blast radius
Affected estate: Teams running Spinnaker with gitrepo artifact types enabled (clouddriver-artifacts-gitrepo)
How to check: Check inventory, endpoint management, or the vendor console for affected Spinnaker versions.
Action: Update clouddriver-artifacts-gitrepo to the patched release, and as a stopgap, disable or restrict gitrepo artifact definitions until the fix is deployed.
Urgency: Patch within 24 hours
Why it matters: If you use Spinnaker's gitrepo artifact type, an attacker can inject commands through the branch name or file path fields
Source: GitHub

Evidence trail

NVD: View source

CVE-2026-41329

NVD

9.9

CVSS EPSS 0.04%

Patch within 24h CRITICAL

OpenClaw before 2026.3.31 has a sandbox escape. An attacker can manipulate the senderIsOwner parameter and abuse heartbeat context inheritance to bypass sandbox restrictions and escalate privileges. The attack doesn't require physical access, but the attacker does need some level of existing access within the sandboxed environment to trigger it.

Included because: prioritization factors: exploitation, exposure, prevalence, patch quality, and blast radius
Affected estate: Anyone running OpenClaw versions older than 2026.3.31
How to check: Check inventory, endpoint management, or the vendor console for affected product versions.
Action: Upgrade OpenClaw to version 2026.3.31 or later and review any sandbox-hosted workloads for signs of unexpected privilege escalation.
Urgency: Patch within 24 hours
Why it matters: OpenClaw before 2026
Source: NVD

Evidence trail

NVD: View source

One email, every weekday morning.

From the field notes

Daybreak shipped without a single number of its own

From this beat

Read the rest of the field notes →