{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26055", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-10T18:01:31.899Z", "datePublished": "2026-02-12T21:07:17.914Z", "dateUpdated": "2026-02-12T21:36:37.816Z"}, "containers": {"cna": {"title": "Unauthenticated Admission Webhook Endpoints in Yoke ATC", "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/yokecd/yoke/security/advisories/GHSA-965m-v4cc-6334", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/yokecd/yoke/security/advisories/GHSA-965m-v4cc-6334"}], "affected": [{"vendor": "yokecd", "product": "yoke", "versions": [{"version": "<= 0.19.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-12T21:07:17.914Z"}, "descriptions": [{"lang": "en", "value": "Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. The ATC webhook endpoints lack proper authentication mechanisms, allowing any pod within the cluster network to directly send AdmissionReview requests to the webhook, bypassing Kubernetes API Server authentication. This enables attackers to trigger WASM module execution in the ATC controller context without proper authorization."}], "source": {"advisory": "GHSA-965m-v4cc-6334", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-12T21:36:10.498569Z", "id": "CVE-2026-26055", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T21:36:37.816Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26055", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-12T21:36:10.498569Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T21:36:28.213Z"}}], "cna": {"title": "Unauthenticated Admission Webhook Endpoints in Yoke ATC", "source": {"advisory": "GHSA-965m-v4cc-6334", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "yokecd", "product": "yoke", "versions": [{"status": "affected", "version": "<= 0.19.0"}]}], "references": [{"url": "https://github.com/yokecd/yoke/security/advisories/GHSA-965m-v4cc-6334", "name": "https://github.com/yokecd/yoke/security/advisories/GHSA-965m-v4cc-6334", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. The ATC webhook endpoints lack proper authentication mechanisms, allowing any pod within the cluster network to directly send AdmissionReview requests to the webhook, bypassing Kubernetes API Server authentication. This enables attackers to trigger WASM module execution in the ATC controller context without proper authorization."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-12T21:07:17.914Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26055", "state": "PUBLISHED", "dateUpdated": "2026-02-12T21:36:37.816Z", "dateReserved": "2026-02-10T18:01:31.899Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-12T21:07:17.914Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:yokecd:yoke:*:*:*:*:*:*:*:*", "matchCriteriaId": "02DD229D-6652-4DF6-9FC9-999E84AE5AD8", "versionEndIncluding": "0.19.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. The ATC webhook endpoints lack proper authentication mechanisms, allowing any pod within the cluster network to directly send AdmissionReview requests to the webhook, bypassing Kubernetes API Server authentication. This enables attackers to trigger WASM module execution in the ATC controller context without proper authorization."}, {"lang": "es", "value": "Yoke es un desplegador de paquetes de infraestructura como c\u00f3digo (IaC) inspirado en Helm. En la versi\u00f3n 0.19.0 y anteriores, existe una vulnerabilidad en el componente Air Traffic Controller (ATC) de Yoke. Los puntos finales del webhook de ATC carecen de mecanismos de autenticaci\u00f3n adecuados, lo que permite que cualquier pod dentro de la red del cl\u00faster env\u00ede directamente solicitudes de AdmissionReview al webhook, eludiendo la autenticaci\u00f3n del Kubernetes API Server. Esto permite a los atacantes activar la ejecuci\u00f3n de m\u00f3dulos WASM en el contexto del controlador ATC sin la autorizaci\u00f3n adecuada."}], "id": "CVE-2026-26055", "lastModified": "2026-04-01T20:57:00.640", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-12T22:16:06.190", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/yokecd/yoke/security/advisories/GHSA-965m-v4cc-6334"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.19.0]"}}], "product": "yoke", "vendor": "yokecd"}], "analysis": {"en": {"generated_at": "2026-04-17T19:57:41.305394+00:00", "value": {"mitigation_remediation": ["Upgrade Yoke to a release after 0.19.0 that includes authentication for the ATC webhook.", "Restrict network access to the ATC webhook so that only the Kubernetes API Server or trusted services can reach it, using network policies or a service mesh.", "If an upgrade cannot be performed immediately, enforce Pod Security Policies or RBAC rules to prevent arbitrary pods from sending AdmissionReview requests to the webhook, effectively blocking the attack path."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Yoke version 0.19.0 and earlier are affected. The product, distributed by yokecd, is the Yoke IaC deployer, and the flaw is present in its ATC component that runs within a Kubernetes cluster. All pods with network reach to the ATC webhook are potential launchpads for exploitation, regardless of workload or cluster configuration.", "description_and_impact": "The vulnerability resides in the Air Traffic Controller component of Yoke, a Helm\u2011inspired infrastructure-as-code package deployer. The ATC webhook endpoints lack authentication, allowing any pod that can reach the cluster network to send AdmissionReview requests directly to the webhook. This bypasses Kubernetes API Server authentication and enables an attacker to trigger the execution of WebAssembly modules within the ATC controller context without authorization, effectively granting the ability to run arbitrary code in the cluster\u2019s management plane.", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity. The EPSS score is less than 1\u202f% suggesting current exploitation probability is low, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is any pod inside the cluster that can reach the ATC webhook; once the attacker creates or uses such a pod, crafted AdmissionReview requests can trigger malicious WASM execution. This would grant execution of arbitrary code with the privileges of the ATC controller, potentially enabling full cluster compromise."}}}}, "created": "2026-02-13T21:29:22.113372+00:00", "updated": "2026-04-17T20:00:09.039943+00:00", "vendors": ["yokecd", "yokecd$PRODUCT$yoke"]}