CVE-2026-26055
📋 TL;DR
This vulnerability allows any pod within a Kubernetes cluster to send unauthorized AdmissionReview requests to Yoke's Air Traffic Controller webhook endpoints, bypassing Kubernetes API Server authentication. Attackers can trigger WASM module execution in the ATC controller context without proper authorization. This affects all users running Yoke version 0.19.0 or earlier.
💻 Affected Systems
- Yoke
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute arbitrary WASM modules with controller privileges, potentially leading to cluster-wide compromise, data exfiltration, or resource hijacking.
Likely Case
Unauthorized pods within the cluster could trigger unintended WASM module execution, causing service disruption or privilege escalation.
If Mitigated
With proper network segmentation and authentication controls, impact would be limited to authorized components only.
🎯 Exploit Status
Exploitation requires network access to the cluster but no authentication to the webhook endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.20.0 or later
Vendor Advisory: https://github.com/yokecd/yoke/security/advisories/GHSA-965m-v4cc-6334
Restart Required: Yes
Instructions:
1. Upgrade Yoke to version 0.20.0 or later. 2. Update the ATC controller deployment. 3. Verify webhook endpoints now require proper authentication.
🔧 Temporary Workarounds
Network Policy Restriction
allImplement Kubernetes Network Policies to restrict pod-to-pod communication to the ATC webhook endpoints.
kubectl apply -f network-policy.yaml
Webhook Authentication
allManually configure authentication for ATC webhook endpoints using Kubernetes ServiceAccounts and RBAC.
kubectl create serviceaccount atc-webhook-auth
kubectl create rolebinding atc-webhook-binding --clusterrole=admin --serviceaccount=default:atc-webhook-auth
🧯 If You Can't Patch
- Implement strict network segmentation using Kubernetes Network Policies to isolate the ATC controller from other pods.
- Disable the ATC webhook functionality if not required for your deployment.
🔍 How to Verify
Check if Vulnerable:
Check Yoke version: kubectl get deployment yoke-atc -o jsonpath='{.spec.template.spec.containers[0].image}' | grep -o ':[0-9.]*'Check Version:
kubectl get deployment yoke-atc -o jsonpath='{.spec.template.spec.containers[0].image}'Verify Fix Applied:
Test webhook endpoint authentication by attempting unauthorized AdmissionReview requests from a test pod.📡 Detection & Monitoring
Log Indicators:
- Unauthorized AdmissionReview requests in ATC controller logs
- Failed authentication attempts to webhook endpoints
Network Indicators:
- Unexpected pod-to-ATC controller communication on webhook ports
- AdmissionReview requests from unauthorized sources
SIEM Query:
source="yoke-atc" AND ("AdmissionReview" OR "webhook") AND status="unauthorized"