DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-26055: Flying Blind: Yoke ATC's Open Door Policy (CVE-2026-26055)

#security #cve #cybersecurity

Flying Blind: Yoke ATC's Open Door Policy (CVE-2026-26055)

Vulnerability ID: CVE-2026-26055
CVSS Score: 7.5
Published: 2026-02-12

A critical authentication bypass in Yoke's Air Traffic Controller (ATC) component allows unauthenticated network actors to trigger WebAssembly admission logic directly. By failing to validate the identity of the caller (typically the Kubernetes API Server), the ATC exposes its validation and mutation endpoints to the entire cluster network. This allows attackers to bypass admission controls, exhaust resources via WASM execution, or potentially corrupt controller state.

TL;DR

Yoke's ATC component doesn't check who is calling its webhook endpoints. Any pod in the cluster can send fake 'AdmissionReview' requests, forcing the controller to execute WASM logic without authorization.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-306 (Missing Authentication)
  • CVSS v3.1: 7.5 (High)
  • Attack Vector: Network (Internal K8s)
  • Privileges Required: None
  • Impact: Integrity / Denial of Service
  • Exploit Status: PoC / Functional

Affected Systems

  • Yoke Air Traffic Controller (ATC)
  • Kubernetes Clusters using Yoke < 0.19.1
  • Yoke (ATC): <= 0.19.0 (Fixed in: 0.19.1)

Code Analysis

Commit: f973056

Fix: enforce client certificate validation for webhook server

tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal Research: The advisory describes the lack of authentication which implicitly allows curl-based exploitation.

Mitigation Strategies

  • Implement Mutual TLS (mTLS) for all Admission Webhooks.
  • Apply strict Kubernetes NetworkPolicies to restrict Ingress to the Control Plane CIDR only.
  • Upgrade Yoke ATC to version > 0.19.0.

Remediation Steps:

  1. Check current version: helm list -n yoke-system.
  2. Upgrade Helm chart: helm upgrade yoke yokecd/yoke --version 0.20.0.
  3. Verify the new deployment enforces client certificate validation.
  4. Audit logs for suspicious access to the ATC service IP from non-API-server IPs.

References

Read the full report for CVE-2026-26055 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)