CVE-2026-26055: Unauthenticated Admission Webhook Endpoints in Yoke ATC

February 12, 2026

Yoke ATC implements multiple Admission Webhook endpoints (/validations/{airway}, /validations/resources, /validations/flights.yoke.cd, /validations/airways.yoke.cd, etc.) that process AdmissionReview requests. These endpoints do not implement TLS client certificate authentication or request source validation. Any client that can reach the ATC service within the cluster can send requests directly to these endpoints, bypassing the Kubernetes API Server’s authentication and authorization mechanisms.

References

github.com/advisories/GHSA-965m-v4cc-6334
github.com/yokecd/yoke
github.com/yokecd/yoke/blob/bc9c576a790df8c42aa06b90fb406220f1de22a0/cmd/atc/handler.go
github.com/yokecd/yoke/security/advisories/GHSA-965m-v4cc-6334
nvd.nist.gov/vuln/detail/CVE-2026-26055

Code Behaviors & Features

Detect and mitigate CVE-2026-26055 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →