CVE-2026-26055 — HIGH (7.5)

Q: How severe is CVE-2026-26055?

CVE-2026-26055 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-26055?

Check the references section above for vendor advisories and patch information. Affected products include: Yokecd Yoke.

Vulnerability Description

Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. The ATC webhook endpoints lack proper authentication mechanisms, allowing any pod within the cluster network to directly send AdmissionReview requests to the webhook, bypassing Kubernetes API Server authentication. This enables attackers to trigger WASM module execution in the ATC controller context without proper authorization.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Yokecd	Yoke	<= 0.19.0

Related Weaknesses (CWE)

CWE-306

References

https://github.com/yokecd/yoke/security/advisories/GHSA-965m-v4cc-6334ExploitVendor Advisory

FAQ

What is CVE-2026-26055?

CVE-2026-26055 is a vulnerability with a CVSS score of 7.5 (HIGH). Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. The ATC webhook endpoints la...

How severe is CVE-2026-26055?

CVE-2026-26055 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-26055?

Check the references section above for vendor advisories and patch information. Affected products include: Yokecd Yoke.