CVE-2026-26055
Published: 12 February 2026
Summary
CVE-2026-26055 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Yokecd Yoke. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requires established identification and authentication to unlock, mitigating missing authentication for continued system access.
Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.
Authorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function.
Guarantees critical functions are protected by mandatory invocation of the access control mechanism.
Auditing sessions makes it possible to detect access to critical functions without required authentication.
The assessment process confirms authentication is present and effective for critical functions, preventing exploitation from missing authentication.
Certification assesses that critical functions have required authentication controls in place.
Disabling non-essential functions and services eliminates the need to secure them, reducing exposure from missing authentication on unnecessary components.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication on the ATC webhook directly enables exploitation of the exposed endpoint (T1190) from within the cluster network and unauthorized WASM execution in the privileged controller context (T1068).
NVD Description
Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. The ATC webhook endpoints lack proper authentication mechanisms, allowing any pod within the cluster network to…
more
directly send AdmissionReview requests to the webhook, bypassing Kubernetes API Server authentication. This enables attackers to trigger WASM module execution in the ATC controller context without proper authorization.
Deeper analysisAI
CVE-2026-26055 affects Yoke, a Helm-inspired infrastructure-as-code (IaC) package deployer, in versions 0.19.0 and earlier. The vulnerability resides in the Air Traffic Controller (ATC) component, where webhook endpoints lack proper authentication mechanisms. This allows any pod within the cluster network to send AdmissionReview requests directly to the webhook, bypassing Kubernetes API Server authentication and enabling unauthorized triggering of WASM module execution in the ATC controller context. The issue is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and is associated with CWE-306 (Missing Authentication for Critical Function).
An attacker with the ability to deploy or compromise a pod within the Kubernetes cluster network can exploit this vulnerability. By sending crafted AdmissionReview requests directly to the ATC webhook endpoints, they bypass standard Kubernetes authentication enforced by the API Server. Successful exploitation allows the attacker to execute arbitrary WASM modules in the ATC controller's context without authorization, potentially leading to integrity violations such as unauthorized configuration changes or code injection within the Yoke deployment process.
Mitigation details are available in the GitHub security advisory at https://github.com/yokecd/yoke/security/advisories/GHSA-965m-v4cc-6334.
Details
- CWE(s)