YAOOK Security Advisory CVE-2026-42301

What is CVE-2026-42301 and how does it affect YAOOK?

CVE-2026-42301 allows an attacker who gets hold of an unrestricted application credential to cross project boundaries to another project, if that project is accessible to the user who created the application credential. Thus, the project scoping of application credentials is broken.

Is my cluster vulnerable?

The following images are vulnerable:

– keystone images before 3.0.86
– yaook release before 2.3.0 (<= 2.2.0)

If this image is used in your cluster for the keystone-api deployment, the cluster is vulnerable.

Upgrading

A new stable release will be published according to the release cycle. You can upgrade to that release simply by updating your operators.

If you want to upgrade the keystone components before waiting for the next release, you may add a YAOOK_OP_VERSIONS_OVERRIDE variable to your Keystone operator container to pull the image before the YAOOK comprehensive release is ready.

The best way to do this is to set the following in the values.yaml of your keystone-operator (make sure to merge this correctly with an existing values.yaml, if you have that).

values:
  operator:
    extraEnv:
    - name: YAOOK_OP_VERSIONS_OVERRIDE
      value: |
          {
              "registry.yaook.cloud/yaook/keystone-2023.2": "registry.yaook.cloud/yaook/keystone-2023.2:3.0.86",
              "registry.yaook.cloud/yaook/keystone-2024.1": "registry.yaook.cloud/yaook/keystone-2024.1:3.0.86",
              "registry.yaook.cloud/yaook/keystone-2024.2": "registry.yaook.cloud/yaook/keystone-2024.2:3.0.86",
              "registry.yaook.cloud/yaook/keystone-2025.1": "registry.yaook.cloud/yaook/keystone-2025.1:3.0.86",
              "registry.yaook.cloud/yaook/keystone-2025.2": "registry.yaook.cloud/yaook/keystone-2025.2:3.0.86"
          }

If you are not using Helm, you can add the environment variable to the `env` section of your keystone-operator’s Deployment’s pod template.

en_GB
en_GB