← Back

CVE-2026-26055

nvd nist
Published: Feb 12, 2026Modified: Jun 17, 2026

JSON object

Loading...
7.5
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Exploitability: 3.9 / Impact: 3.6
Source: NVD

Description

Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. The ATC webhook endpoints lack proper authentication mechanisms, allowing any pod within the cluster network to directly send AdmissionReview requests to the webhook, bypassing Kubernetes API Server authentication. This enables attackers to trigger WASM module execution in the ATC controller context without proper authorization.

Affected (1)

Products: Yokecd: Yoke
1 product
Yoke
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Up to 0.19.0

References (1)

Source: security-advisories@github.com
ExploitVendor Advisory

Timeline

No history available yet.