CVE-2026-26056: Yoke ATC: Flying Blind into WASM RCE - CVE Security Report

CVE-2026-26056.md

CVE-2026-26056: Yoke ATC: Flying Blind into WASM RCE

CVSS Score: 8.8 Published: 2026-02-12 Full Report: https://cvereports.com/reports/CVE-2026-26056

Summary

A critical remote code execution vulnerability in Yoke's Air Traffic Controller (ATC) component allows attackers to execute arbitrary WebAssembly (WASM) modules via simple Kubernetes annotations. By failing to validate the origin of 'flight' overrides, Yoke inadvertently turns the cluster's management layer into a malware distribution platform.

TL;DR

Yoke ATC versions <= 0.19.0 blindly download and execute WASM binaries from URLs specified in Kubernetes annotations. An attacker with basic edit rights can escalate to full cluster compromise.

Exploit Status: POC

Technical Details

• CWE ID: CWE-94 (Improper Control of Generation of Code)
• Attack Vector: Network (Annotation Injection)
• CVSS: 8.8 (High)
• Risk: Critical (RCE / Privilege Escalation)
• Exploit Status: PoC Available / Trivial
• Affected Component: Yoke ATC / WASM Loader

Affected Systems

• Yoke Air Traffic Controller (ATC)
• Kubernetes Clusters using Yoke
• Yoke: <= 0.19.0 (Fixed in: 0.19.1)

Mitigation

• Upgrade Yoke software components
• Implement Admission Controller policies
• Restrict network egress for controller pods

Remediation Steps:

1. Pull the latest Yoke images (tag >= 0.19.1).
2. Redeploy the ATC component.
3. Audit existing resources for the overrides.yoke.cd/flight annotation.
4. Apply Kyverno/Gatekeeper policies to block unauthorized annotations.

References

• GHSA-wj8p-jj64-h7ff
• NVD - CVE-2026-26056

---

Generated by CVEReports - Automated Vulnerability Intelligence