CVE-2026-26056
Published: 12 February 2026
Summary
CVE-2026-26056 is a high-severity Code Injection (CWE-94) vulnerability in Yokecd Yoke. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 18.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SC-35 (External Malicious Code Identification).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the lack of URL validation in the overrides.yoke.cd/flight annotation, preventing injection of malicious URLs leading to WASM execution.
Establishes policies to approve and control execution of mobile code like arbitrary WASM downloaded by the ATC controller, denying untrusted sources.
Requires identification and prevention mechanisms for external malicious code, mitigating the ATC's download and execution of attacker-supplied WASM modules.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a network-reachable code injection flaw (CWE-94) that permits an authenticated attacker to supply a malicious URL annotation, causing the ATC controller to fetch and execute arbitrary WASM code in its privileged process context; this directly enables T1190 (Exploit Public-Facing Application) for remote code execution and T1068 (Exploitation for Privilege Escalation) to reach cluster-admin rights.
NVD Description
Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. It allows users with CR create/update permissions to execute arbitrary WASM code in the ATC controller…
more
context by injecting a malicious URL through the overrides.yoke.cd/flight annotation. The ATC controller downloads and executes the WASM module without proper URL validation, enabling attackers to create arbitrary Kubernetes resources or potentially escalate privileges to cluster-admin level.
Deeper analysisAI
CVE-2026-26056 is a code injection vulnerability (CWE-94) in Yoke, a Helm-inspired infrastructure-as-code package deployer, affecting versions 0.19.0 and earlier. The issue lies in the Air Traffic Controller (ATC) component, which lacks proper URL validation when processing the overrides.yoke.cd/flight annotation on Custom Resources (CRs). This allows malicious URLs to be injected, causing the ATC controller to download and execute arbitrary WebAssembly (WASM) code within its own context. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.
Users with permissions to create or update CRs can exploit this vulnerability remotely without user interaction. By injecting a malicious URL into the specified annotation, an attacker tricks the ATC into fetching and running attacker-controlled WASM code. This execution occurs in the ATC controller's privileged context, potentially allowing the creation of arbitrary Kubernetes resources or escalation to cluster-admin privileges.
Mitigation details and patch information are available in the GitHub security advisory at https://github.com/yokecd/yoke/security/advisories/GHSA-wj8p-jj64-h7ff.
Details
- CWE(s)