{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T22:13:28.245","vulnerabilities":[{"cve":{"id":"CVE-2026-26055","sourceIdentifier":"security-advisories@github.com","published":"2026-02-12T22:16:06.190","lastModified":"2026-04-01T20:57:00.640","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. The ATC webhook endpoints lack proper authentication mechanisms, allowing any pod within the cluster network to directly send AdmissionReview requests to the webhook, bypassing Kubernetes API Server authentication. This enables attackers to trigger WASM module execution in the ATC controller context without proper authorization."},{"lang":"es","value":"Yoke es un desplegador de paquetes de infraestructura como código (IaC) inspirado en Helm. En la versión 0.19.0 y anteriores, existe una vulnerabilidad en el componente Air Traffic Controller (ATC) de Yoke. Los puntos finales del webhook de ATC carecen de mecanismos de autenticación adecuados, lo que permite que cualquier pod dentro de la red del clúster envíe directamente solicitudes de AdmissionReview al webhook, eludiendo la autenticación del Kubernetes API Server. Esto permite a los atacantes activar la ejecución de módulos WASM en el contexto del controlador ATC sin la autorización adecuada."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-306"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:yokecd:yoke:*:*:*:*:*:*:*:*","versionEndIncluding":"0.19.0","matchCriteriaId":"02DD229D-6652-4DF6-9FC9-999E84AE5AD8"}]}]}],"references":[{"url":"https://github.com/yokecd/yoke/security/advisories/GHSA-965m-v4cc-6334","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}