CVSS Score: 7.5 Published: 2026-02-12 Full Report: https://cvereports.com/reports/CVE-2026-26055
A critical authentication bypass in Yoke's Air Traffic Controller (ATC) component allows unauthenticated network actors to trigger WebAssembly admission logic directly. By failing to validate the identity of the caller (typically the Kubernetes API Server), the ATC exposes its validation and mutation endpoints to the entire cluster network. This allows attackers to bypass admission controls, exhaust resources via WASM execution, or potentially corrupt controller state.
Yoke's ATC component doesn't check who is calling its webhook endpoints. Any pod in the cluster can send fake 'AdmissionReview' requests, forcing the controller to execute WASM logic without authorization.
- CWE: CWE-306 (Missing Authentication)
- CVSS v3.1: 7.5 (High)
- Attack Vector: Network (Internal K8s)
- Privileges Required: None
- Impact: Integrity / Denial of Service
- Exploit Status: PoC / Functional
- Yoke Air Traffic Controller (ATC)
- Kubernetes Clusters using Yoke < 0.19.1
- Yoke (ATC): <= 0.19.0 (Fixed in:
0.19.1)
- Implement Mutual TLS (mTLS) for all Admission Webhooks.
- Apply strict Kubernetes NetworkPolicies to restrict Ingress to the Control Plane CIDR only.
- Upgrade Yoke ATC to version > 0.19.0.
Remediation Steps:
- Check current version:
helm list -n yoke-system. - Upgrade Helm chart:
helm upgrade yoke yokecd/yoke --version 0.20.0. - Verify the new deployment enforces client certificate validation.
- Audit logs for suspicious access to the ATC service IP from non-API-server IPs.
Generated by CVEReports - Automated Vulnerability Intelligence