CVE-2026-26056
📋 TL;DR
This vulnerability allows users with create/update permissions in Yoke's Air Traffic Controller to execute arbitrary WASM code by injecting malicious URLs through annotations. Attackers can create arbitrary Kubernetes resources or escalate to cluster-admin privileges. Affects Yoke versions 0.19.0 and earlier.
💻 Affected Systems
- Yoke
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full cluster compromise with cluster-admin privileges, allowing complete control over all Kubernetes resources and potential lateral movement to other systems.
Likely Case
Unauthorized creation/modification of Kubernetes resources, data exfiltration, or service disruption within the affected cluster.
If Mitigated
Limited impact if proper RBAC controls restrict user permissions and network policies prevent external WASM module downloads.
🎯 Exploit Status
Exploitation requires authenticated user with appropriate permissions. The vulnerability is straightforward to exploit once permissions are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.19.1 or later
Vendor Advisory: https://github.com/yokecd/yoke/security/advisories/GHSA-wj8p-jj64-h7ff
Restart Required: Yes
Instructions:
1. Update Yoke to version 0.19.1 or later. 2. Restart all ATC controller pods. 3. Verify the update by checking controller logs for successful startup.
🔧 Temporary Workarounds
Restrict ATC Controller Network Access
allApply network policies to prevent ATC controller from downloading external WASM modules
kubectl apply -f network-policy.yaml
Tighten RBAC Permissions
allRestrict create/update permissions on ATC resources to only necessary users
kubectl edit clusterrolebinding
kubectl edit rolebinding
🧯 If You Can't Patch
- Implement strict network policies to block all external WASM module downloads by ATC controllers
- Apply least-privilege RBAC principles and audit all users with ATC create/update permissions
🔍 How to Verify
Check if Vulnerable:
Check Yoke version: yoke --version. If version is 0.19.0 or earlier, system is vulnerable.Check Version:
yoke --versionVerify Fix Applied:
Verify yoke version is 0.19.1 or later and check ATC controller logs for successful startup without WASM download errors.📡 Detection & Monitoring
Log Indicators:
- ATC controller downloading WASM modules from external URLs
- Unusual resource creation events in Kubernetes audit logs
- Failed WASM module execution attempts
Network Indicators:
- Outbound HTTP/HTTPS requests from ATC controllers to untrusted domains
- WASM file downloads to ATC controller pods
SIEM Query:
source="kubernetes" ("yoke" OR "atc") AND ("download" OR "wasm" OR "override.yoke.cd/flight")