CVE-2026-22872

Capsule is a multi-tenancy and policy-based framework for Kubernetes. The Capsule Controller runs with cluster-admin privileges. Although the TenantResource RawItems processing logic forcibly sets the namespace, this is ineffective for cluster-scoped resources. Prior to version 0.13.0, tenant administrators can leverage the Controller's elevated privileges to create cluster-scoped resources (such as ClusterRole and ValidatingWebhookConfiguration) that they cannot create directly, achieving cross-tenant privilege escalation and cluster-level attacks. The attack vector has a few limiting factors. This attack requires Tenant Owner privileges and requires Capsule Controller running with cluster-admin privileges (default configuration). Additionally, some clusters may have additional admission controllers blocking malicious resources. Version 0.13.0 patches this issue.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/projectcapsule/capsule/releases/tag/v0.13.0	Product Release Notes
https://github.com/projectcapsule/capsule/security/advisories/GHSA-qjjm-7j9w-pw72	Exploit Vendor Advisory
https://github.com/projectcapsule/capsule/security/advisories/GHSA-qjjm-7j9w-pw72	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:projectcapsule:capsule:*:*:*:*:*:*:*:*

History

03 Jun 2026, 19:40

Type	Values Removed	Values Added
CPE		cpe:2.3:a:projectcapsule:capsule::::::::
First Time		Projectcapsule capsule Projectcapsule
References	~~() https://github.com/projectcapsule/capsule/releases/tag/v0.13.0 -~~	() https://github.com/projectcapsule/capsule/releases/tag/v0.13.0 - Product, Release Notes
References	~~() https://github.com/projectcapsule/capsule/security/advisories/GHSA-qjjm-7j9w-pw72 -~~	() https://github.com/projectcapsule/capsule/security/advisories/GHSA-qjjm-7j9w-pw72 - Exploit, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.1

02 Jun 2026, 14:16

Type	Values Removed	Values Added
References	~~() https://github.com/projectcapsule/capsule/security/advisories/GHSA-qjjm-7j9w-pw72 -~~	() https://github.com/projectcapsule/capsule/security/advisories/GHSA-qjjm-7j9w-pw72 -

01 Jun 2026, 19:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-01 19:16

Updated : 2026-06-03 19:40

NVD link : CVE-2026-22872

Mitre link : CVE-2026-22872

CVE.ORG link : CVE-2026-22872

JSON object : View

Products Affected

projectcapsule

capsule

CWE

CWE-20

Improper Input Validation

CWE-863

Incorrect Authorization

9.1 /10