{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26056", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-10T18:01:31.899Z", "datePublished": "2026-02-12T21:11:13.408Z", "dateUpdated": "2026-02-12T21:33:22.829Z"}, "containers": {"cna": {"title": "Arbitrary WASM Code Execution via AnnotationOverrideFlight Injection in Yoke ATC", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/yokecd/yoke/security/advisories/GHSA-wj8p-jj64-h7ff", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/yokecd/yoke/security/advisories/GHSA-wj8p-jj64-h7ff"}], "affected": [{"vendor": "yokecd", "product": "yoke", "versions": [{"version": "< 0.19.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-12T21:11:13.408Z"}, "descriptions": [{"lang": "en", "value": "Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. It allows users with CR create/update permissions to execute arbitrary WASM code in the ATC controller context by injecting a malicious URL through the overrides.yoke.cd/flight annotation. The ATC controller downloads and executes the WASM module without proper URL validation, enabling attackers to create arbitrary Kubernetes resources or potentially escalate privileges to cluster-admin level."}], "source": {"advisory": "GHSA-wj8p-jj64-h7ff", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-12T21:32:45.797888Z", "id": "CVE-2026-26056", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T21:33:22.829Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26056", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-12T21:32:45.797888Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T21:33:00.635Z"}}], "cna": {"title": "Arbitrary WASM Code Execution via AnnotationOverrideFlight Injection in Yoke ATC", "source": {"advisory": "GHSA-wj8p-jj64-h7ff", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "yokecd", "product": "yoke", "versions": [{"status": "affected", "version": "< 0.19.0"}]}], "references": [{"url": "https://github.com/yokecd/yoke/security/advisories/GHSA-wj8p-jj64-h7ff", "name": "https://github.com/yokecd/yoke/security/advisories/GHSA-wj8p-jj64-h7ff", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. It allows users with CR create/update permissions to execute arbitrary WASM code in the ATC controller context by injecting a malicious URL through the overrides.yoke.cd/flight annotation. The ATC controller downloads and executes the WASM module without proper URL validation, enabling attackers to create arbitrary Kubernetes resources or potentially escalate privileges to cluster-admin level."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-12T21:11:13.408Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26056", "state": "PUBLISHED", "dateUpdated": "2026-02-12T21:33:22.829Z", "dateReserved": "2026-02-10T18:01:31.899Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-12T21:11:13.408Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:yokecd:yoke:*:*:*:*:*:*:*:*", "matchCriteriaId": "02DD229D-6652-4DF6-9FC9-999E84AE5AD8", "versionEndIncluding": "0.19.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. It allows users with CR create/update permissions to execute arbitrary WASM code in the ATC controller context by injecting a malicious URL through the overrides.yoke.cd/flight annotation. The ATC controller downloads and executes the WASM module without proper URL validation, enabling attackers to create arbitrary Kubernetes resources or potentially escalate privileges to cluster-admin level."}, {"lang": "es", "value": "Yoke es un desplegador de paquetes de infraestructura como c\u00f3digo (IaC) inspirado en Helm. En la versi\u00f3n 0.19.0 y anteriores, existe una vulnerabilidad en el componente Air Traffic Controller (ATC) de Yoke. Permite a los usuarios con permisos de creaci\u00f3n/actualizaci\u00f3n de CR ejecutar c\u00f3digo WASM arbitrario en el contexto del controlador ATC inyectando una URL maliciosa a trav\u00e9s de la anotaci\u00f3n overrides.yoke.cd/flight. El controlador ATC descarga y ejecuta el m\u00f3dulo WASM sin una validaci\u00f3n de URL adecuada, lo que permite a los atacantes crear recursos arbitrarios de Kubernetes o potencialmente escalar privilegios a nivel de cluster-admin."}], "id": "CVE-2026-26056", "lastModified": "2026-04-01T20:53:39.900", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-12T22:16:06.347", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/yokecd/yoke/security/advisories/GHSA-wj8p-jj64-h7ff"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.19.0)"}}], "product": "yoke", "vendor": "yokecd"}], "analysis": {"en": {"generated_at": "2026-04-17T19:57:27.877654+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest Yoke release that includes a fix for the ATC annotation validation issue (any version greater than 0.19.0).", "Restrict the CR create/update permissions so that only trusted users can modify the overrides.yoke.cd/flight annotation.", "Audit existing Kubernetes manifests for the overrides.yoke.cd/flight annotation, remove or sanitise any URLs pointing to external WASM modules, and replace them with safe, internally stored modules.", "As an interim measure, disable the ATC controller or block outbound network traffic from the controller so it cannot download external WASM modules until a patch is applied."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary WASM code execution that can lead to privilege escalation"}, "threat_synthesis": {"affected_systems": "Yoke, produced by yokecd, is affected when its version is 0.19.0 or older. The vulnerability resides in the ATC component of the infrastructure\u2011as\u2011code deployment tool.", "description_and_impact": "The Air Traffic Controller (ATC) component of Yoke releases 0.19.0 and earlier accepts an annotation named overrides.yoke.cd/flight that points to a WebAssembly module. The controller downloads and executes the module without validating the URL. An attacker who has permission to create or update resources can supply a malicious URL, causing the ATC to run arbitrary WASM code in its own context. This ability allows the attacker to create arbitrary Kubernetes resources and may enable escalation to cluster\u2011admin level.", "risk_and_exploitability": "The CVSS v3.1 base score is 8.8, indicating a high severity vulnerability. The EPSS score is below 1%, suggesting a limited probability of exploitation at present. The issue is not listed in CISA's KEV catalog. The likely attack vector is through the injection of a malicious URL in the overrides.yoke.cd/flight annotation by a user with create/update permissions; the ATC controller then executes the downloaded WASM code, granting the attacker the controller's privileges."}}}}, "created": "2026-02-13T21:29:21.354109+00:00", "updated": "2026-04-17T20:00:09.039397+00:00", "vendors": ["yokecd", "yokecd$PRODUCT$yoke"]}