Description
Capsule is a multi-tenancy and policy-based framework for Kubernetes. The Capsule Controller runs with cluster-admin privileges. Although the TenantResource RawItems processing logic forcibly sets the namespace, this is ineffective for cluster-scoped resources. Prior to version 0.13.0, tenant administrators can leverage the Controller's elevated privileges to create cluster-scoped resources (such as ClusterRole and ValidatingWebhookConfiguration) that they cannot create directly, achieving cross-tenant privilege escalation and cluster-level attacks. The attack vector has a few limiting factors. This attack requires Tenant Owner privileges and requires Capsule Controller running with cluster-admin privileges (default configuration). Additionally, some clusters may have additional admission controllers blocking malicious resources. Version 0.13.0 patches this issue.
Published: 2026-06-01
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs in Capsule, a Kubernetes multi‑tenancy framework, when the TenantResource RawItems component ignores namespace enforcement for cluster‑scoped resources. Because the Capsule Controller runs with cluster‑admin privileges, a tenant administrator who owns the tenant can instruct the controller to create cluster‑scoped objects such as ClusterRole and ValidatingWebhookConfiguration. This enables the tenant to gain privileges and attack the cluster that they are normally prohibited from accessing, leading to a full cross‑tenant privilege escalation and potential cluster‑level compromise.

Affected Systems

Capsule v0.13.0 and earlier are affected. Users deploying Capsule on Kubernetes clusters with the default controller configuration should review the version they are running; any version prior to 0.13.0 is vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate‑to‑high severity. No EPSS score is available, but the CVE notes that the exploit requires Tenant Owner privileges and a Capsule Controller running with cluster‑admin rights, limiting the attack surface to environments that use the default configuration. The vulnerability is not listed in the KEV catalog, suggesting no known public exploits yet. However, the attack path is straightforward: an authorized tenant administrator can trigger cluster‑scoped resource creation through the controller, bypassing normal admission controls if they exist.

Generated by OpenCVE AI on June 1, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capsule to version 0.13.0 or later, which rectifies the namespace enforcement flaw.
  • If upgrading is not immediately possible, disable the Capsule Controller’s default cluster‑admin privileges or configure it to run with a restricted RBAC grant.
  • Enforce tenant permissions that prevent TenantOwner from creating cluster‑scoped resources, and enable admission controls to reject such objects.

Generated by OpenCVE AI on June 1, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qjjm-7j9w-pw72 Capsule TenantResource RawItems Cluster-Scoped Resource Creation Vulnerability
History

Wed, 03 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:projectcapsule:capsule:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Tue, 02 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Projectcapsule
Projectcapsule capsule
Vendors & Products Projectcapsule
Projectcapsule capsule

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Capsule is a multi-tenancy and policy-based framework for Kubernetes. The Capsule Controller runs with cluster-admin privileges. Although the TenantResource RawItems processing logic forcibly sets the namespace, this is ineffective for cluster-scoped resources. Prior to version 0.13.0, tenant administrators can leverage the Controller's elevated privileges to create cluster-scoped resources (such as ClusterRole and ValidatingWebhookConfiguration) that they cannot create directly, achieving cross-tenant privilege escalation and cluster-level attacks. The attack vector has a few limiting factors. This attack requires Tenant Owner privileges and requires Capsule Controller running with cluster-admin privileges (default configuration). Additionally, some clusters may have additional admission controllers blocking malicious resources. Version 0.13.0 patches this issue.
Title Capsule TenantResource RawItems Cluster-Scoped Resource Creation Vulnerability
Weaknesses CWE-20
CWE-863
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:P'}

Subscriptions

Projectcapsule Capsule
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T12:45:53.146Z

Reserved: 2026-01-12T16:20:16.747Z

Link: CVE-2026-22872

cve-icon Vulnrichment

Updated: 2026-06-02T12:45:30.360Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T19:16:21.943

Modified: 2026-06-03T19:40:06.210

Link: CVE-2026-22872

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T21:00:15Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-863

    Incorrect Authorization