Description

Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. It allows users with CR create/update permissions to execute arbitrary WASM code in the ATC controller context by injecting a malicious URL through the overrides.yoke.cd/flight annotation. The ATC controller downloads and executes the WASM module without proper URL validation, enabling attackers to create arbitrary Kubernetes resources or potentially escalate privileges to cluster-admin level.

INFO

Published Date :

2026-02-12T21:11:13.408Z

Last Modified :

2026-02-12T21:33:22.829Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-26056 vulnerability.

Vendors Products
Yokecd
  • Yoke
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-26056.

URL Resource
https://github.com/yokecd/yoke/security/advisories/GHSA-wj8p-jj64-h7ff cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact