Cyber Resilience

CVE-2026-26055

HighPublic PoC

Published: 12 February 2026

Published
12 February 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0012 30.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26055 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Yokecd Yoke. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-26055 affects Yoke, a Helm-inspired infrastructure-as-code (IaC) package deployer, in versions 0.19.0 and earlier. The vulnerability resides in the Air Traffic Controller (ATC) component, where webhook endpoints lack proper authentication mechanisms. This allows any pod within the cluster network to send AdmissionReview requests directly to the webhook, bypassing Kubernetes API Server authentication and enabling unauthorized triggering of WASM module execution in the ATC controller context. The issue is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and is associated with CWE-306 (Missing Authentication for Critical Function).

An attacker with the ability to deploy or compromise a pod within the Kubernetes cluster network can exploit this vulnerability. By sending crafted AdmissionReview requests directly to the ATC webhook endpoints, they bypass standard Kubernetes authentication enforced by the API Server. Successful exploitation allows the attacker to execute arbitrary WASM modules in the ATC controller's context without authorization, potentially leading to integrity violations such as unauthorized configuration changes or code injection within the Yoke deployment process.

Mitigation details are available in the GitHub security advisory at https://github.com/yokecd/yoke/security/advisories/GHSA-965m-v4cc-6334.

EU & UK References

Vulnerability details

Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. The ATC webhook endpoints lack proper authentication mechanisms, allowing any pod within the cluster network to…

more

directly send AdmissionReview requests to the webhook, bypassing Kubernetes API Server authentication. This enables attackers to trigger WASM module execution in the ATC controller context without proper authorization.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Missing authentication on the ATC webhook directly enables exploitation of the exposed endpoint (T1190) from within the cluster network and unauthorized WASM execution in the privileged controller context (T1068).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-26056Same product: Yokecd Yoke
CVE-2026-25192Shared CWE-306
CVE-2026-27767Shared CWE-306
CVE-2026-25848Shared CWE-306
CVE-2025-59246Shared CWE-306
CVE-2025-62586Shared CWE-306
CVE-2026-29796Shared CWE-306
CVE-2026-26125Shared CWE-306
CVE-2026-27772Shared CWE-306
CVE-2026-2417Shared CWE-306

Affected Assets

yokecd
yoke
≤ 0.19.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires the ATC webhook service to implement identification and authentication consistent with organizational policy, directly preventing unauthorized AdmissionReview requests from cluster pods.

prevent

Mandates identification and documentation of actions permitted without authentication, prohibiting unauthorized triggering of WASM execution on the ATC webhook endpoints.

prevent

Enforces approved authorizations for access to the ATC webhook, blocking direct requests from unauthorized pods and mitigating bypass of Kubernetes API Server authentication.

References