CVE-2026-26056: Yoke ATC: Flying Blind into WASM RCE

Yoke ATC: Flying Blind into WASM RCE

Vulnerability ID: CVE-2026-26056
CVSS Score: 8.8
Published: 2026-02-12

A critical remote code execution vulnerability in Yoke's Air Traffic Controller (ATC) component allows attackers to execute arbitrary WebAssembly (WASM) modules via simple Kubernetes annotations. By failing to validate the origin of 'flight' overrides, Yoke inadvertently turns the cluster's management layer into a malware distribution platform.

TL;DR

Yoke ATC versions <= 0.19.0 blindly download and execute WASM binaries from URLs specified in Kubernetes annotations. An attacker with basic edit rights can escalate to full cluster compromise.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-94 (Improper Control of Generation of Code)
• Attack Vector: Network (Annotation Injection)
• CVSS: 8.8 (High)
• Risk: Critical (RCE / Privilege Escalation)
• Exploit Status: PoC Available / Trivial
• Affected Component: Yoke ATC / WASM Loader

Affected Systems

• Yoke Air Traffic Controller (ATC)
• Kubernetes Clusters using Yoke
• Yoke: <= 0.19.0 (Fixed in: 0.19.1)

Code Analysis

Commit: f973056

Fix arbitrary WASM execution vulnerability

N/A

Exploit Details

• Advisory: GHSA Advisory describing the attack vector

Mitigation Strategies

• Upgrade Yoke software components
• Implement Admission Controller policies
• Restrict network egress for controller pods

Remediation Steps:

1. Pull the latest Yoke images (tag >= 0.19.1).
2. Redeploy the ATC component.
3. Audit existing resources for the overrides.yoke.cd/flight annotation.
4. Apply Kyverno/Gatekeeper policies to block unauthorized annotations.

References

• GHSA-wj8p-jj64-h7ff
• NVD - CVE-2026-26056

---

Read the full report for CVE-2026-26056 on our website for more details including interactive diagrams and full exploit analysis.