CVE-2026-26055
HIGHYoke <= 0.19.0 - Unauthenticated WASM Module Execution via ATC Webhook Endpoint
Title source: llmDescription
Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. The ATC webhook endpoints lack proper authentication mechanisms, allowing any pod within the cluster network to directly send AdmissionReview requests to the webhook, bypassing Kubernetes API Server authentication. This enables attackers to trigger WASM module execution in the ATC controller context without proper authorization.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/yokecd/yoke/security/advisories/GHSA-965m-v4cc-6334
Scores
CVSS v3
7.5
EPSS
0.0041
EPSS Percentile
32.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-306
Status
published
Products (3)
yokecd/yoke
< 0.19.0
yokecd/yoke
0Go
yokecd/yoke
<= 0.19.0
Published
Feb 12, 2026
Tracked Since
Feb 18, 2026