CVE-2026-26055

Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. The ATC webhook endpoints lack proper authentication mechanisms, allowing any pod within the cluster network to directly send AdmissionReview requests to the webhook, bypassing Kubernetes API Server authentication. This enables attackers to trigger WASM module execution in the ATC controller context without proper authorization.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/yokecd/yoke/security/advisories/GHSA-965m-v4cc-6334	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:yokecd:yoke:*:*:*:*:*:*:*:*

History

01 Apr 2026, 20:57

Type	Values Removed	Values Added
CPE		cpe:2.3:a:yokecd:yoke::::::::
References	~~() https://github.com/yokecd/yoke/security/advisories/GHSA-965m-v4cc-6334 -~~	() https://github.com/yokecd/yoke/security/advisories/GHSA-965m-v4cc-6334 - Exploit, Vendor Advisory
First Time		Yokecd Yokecd yoke
Summary		(es) Yoke es un desplegador de paquetes de infraestructura como código (IaC) inspirado en Helm. En la versión 0.19.0 y anteriores, existe una vulnerabilidad en el componente Air Traffic Controller (ATC) de Yoke. Los puntos finales del webhook de ATC carecen de mecanismos de autenticación adecuados, lo que permite que cualquier pod dentro de la red del clúster envíe directamente solicitudes de AdmissionReview al webhook, eludiendo la autenticación del Kubernetes API Server. Esto permite a los atacantes activar la ejecución de módulos WASM en el contexto del controlador ATC sin la autorización adecuada.

12 Feb 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-12 22:16

Updated : 2026-04-01 20:57

NVD link : CVE-2026-26055

Mitre link : CVE-2026-26055

CVE.ORG link : CVE-2026-26055

JSON object : View

Products Affected

yokecd

yoke

CWE

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2026-26055", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-02-12T22:16:06.190", "references": [{"url": "https://github.com/yokecd/yoke/security/advisories/GHSA-965m-v4cc-6334", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. The ATC webhook endpoints lack proper authentication mechanisms, allowing any pod within the cluster network to directly send AdmissionReview requests to the webhook, bypassing Kubernetes API Server authentication. This enables attackers to trigger WASM module execution in the ATC controller context without proper authorization."}, {"lang": "es", "value": "Yoke es un desplegador de paquetes de infraestructura como c\u00f3digo (IaC) inspirado en Helm. En la versi\u00f3n 0.19.0 y anteriores, existe una vulnerabilidad en el componente Air Traffic Controller (ATC) de Yoke. Los puntos finales del webhook de ATC carecen de mecanismos de autenticaci\u00f3n adecuados, lo que permite que cualquier pod dentro de la red del cl\u00faster env\u00ede directamente solicitudes de AdmissionReview al webhook, eludiendo la autenticaci\u00f3n del Kubernetes API Server. Esto permite a los atacantes activar la ejecuci\u00f3n de m\u00f3dulos WASM en el contexto del controlador ATC sin la autorizaci\u00f3n adecuada."}], "lastModified": "2026-04-01T20:57:00.640", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:yokecd:yoke:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "02DD229D-6652-4DF6-9FC9-999E84AE5AD8", "versionEndIncluding": "0.19.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}