CVE-2026-26056: Yoke

Overview

A significant security vulnerability has been identified in Yoke, an infrastructure-as-code tool for deploying packages. This flaw allows an attacker with basic permissions to execute unauthorized code and potentially gain full control over a Kubernetes cluster.

Vulnerability Explained

In simple terms, Yoke uses a component called the Air Traffic Controller (ATC) to manage deployments. This component has a feature that allows users to customize deployments by pointing to external code modules (WASM files). The vulnerability exists because the ATC does not properly check or restrict the source of these modules.

An attacker who already has permission to create or update certain resources in the cluster can abuse this feature. By injecting a malicious web address (URL) into a specific annotation (overrides.yoke.cd/flight), they can trick the ATC into downloading and executing harmful code from an external server they control. This code runs with the high-level permissions of the ATC controller itself.

Potential Impact

The consequences of this vulnerability are severe:

• Resource Creation: Attackers can create any Kubernetes resource (like pods, secrets, or services) within the cluster.
• Privilege Escalation: By creating these resources, an attacker can potentially escalate their privileges to cluster-admin level, granting them complete control over the entire Kubernetes environment.
• Data Breach & System Compromise: Full cluster access allows for theft of sensitive data, deployment of cryptocurrency miners, disruption of services, or establishment of a persistent foothold for further attacks.

This is classified as a HIGH severity vulnerability with a CVSS score of 8.8.

Remediation and Mitigation

Primary Action: Immediate Upgrade The core fix is to upgrade Yoke to version 0.20.0 or later, where this vulnerability has been patched. Update your Yoke installation and controller as soon as possible.

Immediate Mitigation (If Upgrade is Delayed):

1. Restrict Permissions: Immediately audit and tighten Kubernetes RBAC (Role-Based Access Control) permissions. Minimize the number of users and service accounts that have create or update permissions on resources that can be targeted by Yoke (like Flights).
2. Network Policies: Implement Kubernetes Network Policies to block egress traffic from the ATC controller pod to the public internet, preventing it from downloading external WASM modules. This may break legitimate functionality if you use external overrides.
3. Admission Controller: Consider using a validating admission webhook to reject any resource containing the overrides.yoke.cd/flight annotation until the upgrade is complete.

General Recommendation: Always follow the principle of least privilege for users and service accounts in your clusters to limit the blast radius of such vulnerabilities.