CVE-2026-26055

Exploit

EPSS 0.09%
Veröffentlicht 12.02.2026 21:07:17
Zuletzt bearbeitet 01.04.2026 20:57:00
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. The ATC webhook endpoints lack proper authentication mechanisms, allowing any pod within the cluster network to directly send AdmissionReview requests to the webhook, bypassing Kubernetes API Server authentication. This enables attackers to trigger WASM module execution in the ATC controller context without proper authorization.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Yokecd ≫ Yoke Version <= 0.19.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.09%	0.255

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://github.com/yokecd/yoke/security/advisories/GHSA-965m-v4cc-6334

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-26055

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-26055

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-26055

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-26055