CVE-2026-26055

Name of the Vulnerable Software and Affected Versions Yoke versions 0.18.x and earlier

Description The Air Traffic Controller (ATC) component of Yoke lacks proper authentication mechanisms for its webhook endpoints. This allows any pod within the cluster network to send AdmissionReview requests directly to the webhook, bypassing Kubernetes API Server authentication. Attackers can exploit this to trigger WASM module execution in the ATC controller context without authorization. The vulnerable endpoints include '/validations/{airway}', '/validations/resources', '/validations/flights.yoke.cd', '/validations/airways.yoke.cd', and '/crdconvert/{airway}'. The issue stems from the absence of TLS client certificate verification, request source validation, or any form of authentication middleware in the HTTP handler implementation. An attacker can send crafted AdmissionReview requests to these endpoints, potentially leading to unauthorized WASM execution and, combined with other issues, the creation of arbitrary Kubernetes resources. The impact includes potential confidentiality, integrity, and availability concerns.

Recommendations Versions prior to 0.19.0: Deploy a NetworkPolicy to restrict access to the ATC service, allowing only kube-apiserver to connect. Versions prior to 0.19.0: Use a service mesh (Istio, Linkerd) to enforce mTLS between services. Versions prior to 0.19.0: Implement strict pod security policies to limit which pods can be created in the cluster.