CVE-2026-26055
HIGH
GHSA-965m-v4cc-6334
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3Description
Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. The ATC webhook endpoints lack proper authentication mechanisms, allowing any pod within the cluster network to directly send AdmissionReview requests to the webhook, bypassing Kubernetes API Server authentication. This enables attackers to trigger WASM module execution in the ATC controller context without proper authorization.
Analysis
Unauthenticated webhook endpoints in Yoke's Air Traffic Controller component allow any pod within a Kubernetes cluster to submit AdmissionReview requests and execute WASM modules in the controller's context without authorization. This affects Yoke versions 0.19.0 and earlier, enabling attackers with cluster access to bypass API Server authentication and potentially compromise the infrastructure-as-code deployment pipeline. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running Yoke 0.19.0 and earlier; restrict network access to ATC components to trusted networks only. Within 7 days: Evaluate upgrade path to patched version when available; implement network segmentation isolating Yoke deployments. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today