Cyber Resilience

CVE-2026-26056

HighPublic PoCRCE

Published: 12 February 2026

Published
12 February 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0040 31.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-26056 is a high-severity Code Injection (CWE-94) vulnerability in Yokecd Yoke. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 31.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SC-35 (External Malicious Code Identification).

Deeper analysis

CVE-2026-26056 is a code injection vulnerability (CWE-94) in Yoke, a Helm-inspired infrastructure-as-code package deployer, affecting versions 0.19.0 and earlier. The issue lies in the Air Traffic Controller (ATC) component, which lacks proper URL validation when processing the overrides.yoke.cd/flight annotation on Custom Resources (CRs). This allows malicious URLs to be injected, causing the ATC controller to download and execute arbitrary WebAssembly (WASM) code within its own context. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.

Users with permissions to create or update CRs can exploit this vulnerability remotely without user interaction. By injecting a malicious URL into the specified annotation, an attacker tricks the ATC into fetching and running attacker-controlled WASM code. This execution occurs in the ATC controller's privileged context, potentially allowing the creation of arbitrary Kubernetes resources or escalation to cluster-admin privileges.

Mitigation details and patch information are available in the GitHub security advisory at https://github.com/yokecd/yoke/security/advisories/GHSA-wj8p-jj64-h7ff.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. It allows users with CR create/update permissions to execute arbitrary WASM code in the ATC controller…

more

context by injecting a malicious URL through the overrides.yoke.cd/flight annotation. The ATC controller downloads and executes the WASM module without proper URL validation, enabling attackers to create arbitrary Kubernetes resources or potentially escalate privileges to cluster-admin level.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes a network-reachable code injection flaw (CWE-94) that permits an authenticated attacker to supply a malicious URL annotation, causing the ATC controller to fetch and execute arbitrary WASM code in its privileged process context; this directly enables T1190 (Exploit Public-Facing Application) for remote code execution and T1068 (Exploitation for Privilege Escalation) to reach cluster-admin rights.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26055Same product: Yokecd Yoke
CVE-2026-28425Shared CWE-94
CVE-2024-56373Shared CWE-94
CVE-2025-6990Shared CWE-94
CVE-2026-3132Shared CWE-94
CVE-2026-32573Shared CWE-94
CVE-2021-47770Shared CWE-94
CVE-2026-32999Shared CWE-94
CVE-2026-31857Shared CWE-94
CVE-2025-12637Shared CWE-94

Affected Assets

yokecd
yoke
≤ 0.19.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the lack of URL validation in the overrides.yoke.cd/flight annotation, preventing injection of malicious URLs leading to WASM execution.

prevent

Establishes policies to approve and control execution of mobile code like arbitrary WASM downloaded by the ATC controller, denying untrusted sources.

prevent

Requires identification and prevention mechanisms for external malicious code, mitigating the ATC's download and execution of attacker-supplied WASM modules.

References