Yoke is an infrastructure-as-code package deployer inspired by Helm, used to manage Kubernetes resources. Versions prior to 0.19.0 contain a critical vulnerability (CVE-2026-26056) in the Air Traffic Controller (ATC) component. This vulnerability arises from improper validation of URLs provided via the overrides.yoke.cd/flight annotation, which is intended to specify a WebAssembly (WASM) module for execution. Users with create or update permissions can inject a malicious URL that the ATC controller downloads and executes without sufficient validation. Because the WASM module runs in the controller context, an attacker can execute arbitrary code, allowing them to create or modify Kubernetes resources arbitrarily. This can lead to privilege escalation to cluster-admin level, compromising the entire Kubernetes cluster. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code), highlighting the risk of code injection. The CVSS 3.1 score of 8.8 reflects the vulnerability's high impact, with network attack vector, low attack complexity, required privileges, no user interaction, and full impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the potential for severe damage exists. The vulnerability affects all Yoke versions before 0.19.0, and no official patches are linked yet, emphasizing the need for prompt version upgrades once available.

For European organizations, this vulnerability poses a significant risk to Kubernetes cluster security, especially for those using Yoke as part of their infrastructure-as-code toolchain. Exploitation can lead to unauthorized creation and modification of Kubernetes resources, potentially disrupting critical services and workflows. The ability to escalate privileges to cluster-admin level threatens the confidentiality and integrity of sensitive data and operational controls. This can result in data breaches, service outages, and lateral movement within cloud environments. Organizations with multi-tenant clusters or those managing critical infrastructure are particularly vulnerable. The high CVSS score indicates that the vulnerability can be exploited remotely with relatively low complexity, increasing the likelihood of targeted attacks. The absence of known exploits in the wild suggests a window of opportunity for defenders to remediate before widespread exploitation occurs. However, the potential impact on availability, integrity, and confidentiality is severe, making this a critical threat to cloud-native deployments in Europe.

1. Upgrade Yoke to version 0.19.0 or later as soon as a patched release is available to eliminate the vulnerability. 2. Until an upgrade is possible, restrict create and update permissions in Kubernetes to trusted users only, minimizing the risk of malicious annotation injection. 3. Implement strict network policies to limit the ATC controller's ability to download WASM modules from untrusted or external URLs. 4. Monitor Kubernetes audit logs for suspicious use of the overrides.yoke.cd/flight annotation or unusual creation of resources. 5. Employ runtime security tools to detect anomalous behavior in the ATC controller and Kubernetes API server. 6. Conduct regular security reviews of infrastructure-as-code configurations and annotations to detect potential injection points. 7. Educate DevOps and security teams about the risks of code injection in IaC tools and enforce best practices for annotation usage and permissions management.