Description
Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. It allows users with CR create/update permissions to execute arbitrary WASM code in the ATC controller context by injecting a malicious URL through the overrides.yoke.cd/flight annotation. The ATC controller downloads and executes the WASM module without proper URL validation, enabling attackers to create arbitrary Kubernetes resources or potentially escalate privileges to cluster-admin level.
Published: 2026-02-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary WASM code execution that can lead to privilege escalation
Action: Immediate Patch
AI Analysis

Impact

The Air Traffic Controller (ATC) component of Yoke releases 0.19.0 and earlier accepts an annotation named overrides.yoke.cd/flight that points to a WebAssembly module. The controller downloads and executes the module without validating the URL. An attacker who has permission to create or update resources can supply a malicious URL, causing the ATC to run arbitrary WASM code in its own context. This ability allows the attacker to create arbitrary Kubernetes resources and may enable escalation to cluster‑admin level.

Affected Systems

Yoke, produced by yokecd, is affected when its version is 0.19.0 or older. The vulnerability resides in the ATC component of the infrastructure‑as‑code deployment tool.

Risk and Exploitability

The CVSS v3.1 base score is 8.8, indicating a high severity vulnerability. The EPSS score is below 1%, suggesting a limited probability of exploitation at present. The issue is not listed in CISA's KEV catalog. The likely attack vector is through the injection of a malicious URL in the overrides.yoke.cd/flight annotation by a user with create/update permissions; the ATC controller then executes the downloaded WASM code, granting the attacker the controller's privileges.

Generated by OpenCVE AI on April 17, 2026 at 19:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Yoke release that includes a fix for the ATC annotation validation issue (any version greater than 0.19.0).
  • Restrict the CR create/update permissions so that only trusted users can modify the overrides.yoke.cd/flight annotation.
  • Audit existing Kubernetes manifests for the overrides.yoke.cd/flight annotation, remove or sanitise any URLs pointing to external WASM modules, and replace them with safe, internally stored modules.
  • As an interim measure, disable the ATC controller or block outbound network traffic from the controller so it cannot download external WASM modules until a patch is applied.

Generated by OpenCVE AI on April 17, 2026 at 19:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wj8p-jj64-h7ff Arbitrary WASM Code Execution via AnnotationOverrideFlight Injection in Yoke ATC
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:yokecd:yoke:*:*:*:*:*:*:*:*

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Yokecd
Yokecd yoke
Vendors & Products Yokecd
Yokecd yoke

Thu, 12 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. It allows users with CR create/update permissions to execute arbitrary WASM code in the ATC controller context by injecting a malicious URL through the overrides.yoke.cd/flight annotation. The ATC controller downloads and executes the WASM module without proper URL validation, enabling attackers to create arbitrary Kubernetes resources or potentially escalate privileges to cluster-admin level.
Title Arbitrary WASM Code Execution via AnnotationOverrideFlight Injection in Yoke ATC
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Yokecd Yoke
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-12T21:33:22.829Z

Reserved: 2026-02-10T18:01:31.899Z

Link: CVE-2026-26056

cve-icon Vulnrichment

Updated: 2026-02-12T21:33:00.635Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-12T22:16:06.347

Modified: 2026-04-01T20:53:39.900

Link: CVE-2026-26056

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:00:09Z

Weaknesses