CVE-2026-26056

Name of the Vulnerable Software and Affected Versions Yoke versions 0.19.0 and earlier

Description Yoke's Air Traffic Controller (ATC) component contains a flaw that allows users with Custom Resource (CR) create/update permissions to execute arbitrary WASM code. This is achieved by injecting a malicious URL through the overrides.yoke.cd/flight annotation. The ATC controller downloads and executes the WASM module without validating the URL, potentially enabling attackers to create arbitrary Kubernetes resources or escalate privileges. The vulnerability resides in the handling of the overrides.yoke.cd/flight annotation, where the controller directly uses the user-provided URL without proper validation. The permission check only verifies update permission on airways resources, failing to prevent the execution of arbitrary WASM code. A Proof of Concept (PoC) demonstrates the creation of a malicious WASM module that creates a ConfigMap named stolen-credentials in the cluster, proving arbitrary code execution. The vulnerability is categorized as Remote Code Execution (RCE) / Code Injection. Attackers with CR create/update permissions and network access to host malicious WASM can exploit this issue. The impact includes potential compromise of confidentiality, integrity, and availability.

Recommendations Versions prior to 0.19.0: Disable the annotation override feature by removing or disabling the overrides.yoke.cd/flight annotation processing in production environments. Versions prior to 0.19.0: Restrict the ATC controller's outbound network access to prevent downloading external WASM modules. Versions prior to 0.19.0: Limit CR create/update permissions to trusted users only. Versions prior to 0.19.0: Deploy a validating webhook to reject CRs with overrides.yoke.cd/flight annotations.