CVE-2026-26056: Arbitrary WASM Code Execution via AnnotationOverrideFlight Injection in Yoke ATC

February 12, 2026

Yoke ATC allows users to override the Flight WASM module URL via the overrides.yoke.cd/flight annotation on Custom Resources. The controller only checks if the user has update permission on airways resources but does not validate the WASM URL source. An attacker with CR create/update permissions can inject a malicious WASM URL, causing the ATC controller to download and execute arbitrary code.

References

github.com/advisories/GHSA-wj8p-jj64-h7ff
github.com/yokecd/yoke
github.com/yokecd/yoke/security/advisories/GHSA-wj8p-jj64-h7ff
nvd.nist.gov/vuln/detail/CVE-2026-26056

Code Behaviors & Features

Detect and mitigate CVE-2026-26056 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →