CVE-2026-26055
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2026-02-12

Last updated on: 2026-04-01

Assigner: GitHub, Inc.

Description
Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. The ATC webhook endpoints lack proper authentication mechanisms, allowing any pod within the cluster network to directly send AdmissionReview requests to the webhook, bypassing Kubernetes API Server authentication. This enables attackers to trigger WASM module execution in the ATC controller context without proper authorization.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-12
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-02-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26055
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yokecd yoke to 0.19.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Air Traffic Controller (ATC) component of Yoke, a Helm-inspired infrastructure-as-code package deployer. In versions 0.19.0 and earlier, the ATC webhook endpoints do not have proper authentication mechanisms. This means that any pod within the cluster network can send AdmissionReview requests directly to the webhook, bypassing the Kubernetes API Server's authentication controls.

As a result, attackers can trigger the execution of WASM modules in the ATC controller context without proper authorization.

Impact Analysis

Because the vulnerability allows unauthorized pods within the cluster to send AdmissionReview requests and trigger WASM module execution in the ATC controller, it can lead to unauthorized actions being performed within the infrastructure deployment process.

Specifically, the impact includes the potential for attackers to manipulate or interfere with infrastructure-as-code deployments, which could compromise the integrity of the deployed environment.

The CVSS score of 7.5 indicates a high severity, with no privileges required and no user interaction needed, making exploitation relatively easy within the cluster network.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26055. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart