High severity7.5NVD Advisory· Published Feb 12, 2026· Updated Apr 1, 2026
CVE-2026-26055
CVE-2026-26055
Description
Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. The ATC webhook endpoints lack proper authentication mechanisms, allowing any pod within the cluster network to directly send AdmissionReview requests to the webhook, bypassing Kubernetes API Server authentication. This enables attackers to trigger WASM module execution in the ATC controller context without proper authorization.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/yokecd/yokeGo | <= 0.19.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/yokecd/yoke/security/advisories/GHSA-965m-v4cc-6334nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-965m-v4cc-6334ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-26055ghsaADVISORY
- github.com/yokecd/yoke/blob/bc9c576a790df8c42aa06b90fb406220f1de22a0/cmd/atc/handler.goghsaWEB
News mentions
0No linked articles in our index yet.