CVE-2026-26055
Published: 12 February 2026
Summary
CVE-2026-26055 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Yokecd Yoke. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-26055 affects Yoke, a Helm-inspired infrastructure-as-code (IaC) package deployer, in versions 0.19.0 and earlier. The vulnerability resides in the Air Traffic Controller (ATC) component, where webhook endpoints lack proper authentication mechanisms. This allows any pod within the cluster network to send AdmissionReview requests directly to the webhook, bypassing Kubernetes API Server authentication and enabling unauthorized triggering of WASM module execution in the ATC controller context. The issue is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and is associated with CWE-306 (Missing Authentication for Critical Function).
An attacker with the ability to deploy or compromise a pod within the Kubernetes cluster network can exploit this vulnerability. By sending crafted AdmissionReview requests directly to the ATC webhook endpoints, they bypass standard Kubernetes authentication enforced by the API Server. Successful exploitation allows the attacker to execute arbitrary WASM modules in the ATC controller's context without authorization, potentially leading to integrity violations such as unauthorized configuration changes or code injection within the Yoke deployment process.
Mitigation details are available in the GitHub security advisory at https://github.com/yokecd/yoke/security/advisories/GHSA-965m-v4cc-6334.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6190
Vulnerability details
Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. The ATC webhook endpoints lack proper authentication mechanisms, allowing any pod within the cluster network to…
more
directly send AdmissionReview requests to the webhook, bypassing Kubernetes API Server authentication. This enables attackers to trigger WASM module execution in the ATC controller context without proper authorization.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication on the ATC webhook directly enables exploitation of the exposed endpoint (T1190) from within the cluster network and unauthorized WASM execution in the privileged controller context (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires the ATC webhook service to implement identification and authentication consistent with organizational policy, directly preventing unauthorized AdmissionReview requests from cluster pods.
Mandates identification and documentation of actions permitted without authentication, prohibiting unauthorized triggering of WASM execution on the ATC webhook endpoints.
Enforces approved authorizations for access to the ATC webhook, blocking direct requests from unauthorized pods and mitigating bypass of Kubernetes API Server authentication.