VDB

CVE-2026-26056

CVE-2026-26056 PUBLISHED CVSS 8.800000190734863 HIGH

Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. It allows users with CR create/update permissions to execute arbitrary WASM code in the ATC controller context by injecting a malicious URL through the overrides.yoke.cd/flight annotation. The ATC controller downloads and executes the WASM module without proper URL validation, enabling attackers to create arbitrary Kubernetes resources or potentially escalate privileges to cluster-admin level.

EPSS 0.06% · 18.9th percentile

Risk Scores

CVSS v3.1
8.800000190734863
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
0.06%
18.9th percentile

Affected Products

VendorProductVersions
yokecdyoke*, < 0.19.0, 0
github.comyokecd/yoke0, 0

Timeline

  • Feb 12, 2026 CVE Published
  • Feb 13, 2026 CVE Updated
  • Feb 13, 2026 EPSS Score
  • Feb 13, 2026 PoC Published
  • Feb 13, 2026 PoC Published
  • Feb 15, 2026 EPSS Score
  • Feb 17, 2026 EPSS Score
  • Feb 19, 2026 EPSS Score
  • Feb 21, 2026 EPSS Score
  • Feb 22, 2026 EPSS Score
  • Feb 24, 2026 EPSS Score
  • Feb 26, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›