Description
Capsule is a multi-tenancy and policy-based framework for Kubernetes. To defend against namespace hijacking achieved through update/patch operations on namespaces, Capsule uses a webhook to validate update requests targeting namespaces. However, in Kubernetes, the namespace/finalize and namespace/status subresource APIs can also modify various fields of a namespace, including the metadata field. Prior to version 0.13.0, the webhook does not define interception rules for these subresources. As a result, if a tenant administrator has permission to modify namespace/status or namespace/finalize, they can successfully perform namespace hijacking. Version 0.13.0 fixes the issue. Another mitigation is to add two subresources (namespaces and snamespaces/status with namespace/finalize within it) to the resources list in the ValidatingWebhookConfiguration rules.
Published: 2026-06-01
Score: 3.9 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capsule enforces namespace policy through a validating webhook, but before version 0.13.0 the webhook omitted rules for the namespace/status and namespace/finalize subresources. Because these subresources can modify namespace metadata, a tenant administrator with permission to update them could bypass the webhook and change critical namespace attributes, effectively hijacking the namespace. The vulnerability is a classic input validation error (CWE‑20) that allows callers to supply data that the system does not properly guard against. This leads to confidentiality, integrity, and availability impacts for the affected namespace, giving the attacker full control over namespace configuration and potentially other tenant resources.

Affected Systems

All installations of Capsule prior to version 0.13.0 are affected, including governance of Kubernetes clusters where tenant administrators have the ability to modify namespace/status or namespace/finalize subresources.

Risk and Exploitability

The CVSS score of 3.9 reflects the low impact when the attacker is limited to tenant‑level privileges, but the absence of subresource validation creates a clear attack path. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, suggesting limited known exploitation in the wild. Nonetheless, any actor who can alter namespace subresources can exploit this weakness; therefore, the likelihood of exploitation remains significant in environments that grant such permissions. Mitigation requires patching or reconfiguring the webhook to include the missing subresource rules, as described in the advisory.

Generated by OpenCVE AI on June 1, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Capsule version 0.13.0 or later
  • Add namespace and namespace/status with namespace/finalize to the ValidatingWebhookConfiguration rules to enforce validation on subresources
  • Restrict tenant administrator permissions so they cannot modify namespace/status or namespace/finalize subresources

Generated by OpenCVE AI on June 1, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2ww6-hf35-mfjm Capsule Namespace Hijacking via subresource
History

Mon, 01 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Projectcapsule
Projectcapsule capsule
Vendors & Products Projectcapsule
Projectcapsule capsule

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Capsule is a multi-tenancy and policy-based framework for Kubernetes. To defend against namespace hijacking achieved through update/patch operations on namespaces, Capsule uses a webhook to validate update requests targeting namespaces. However, in Kubernetes, the namespace/finalize and namespace/status subresource APIs can also modify various fields of a namespace, including the metadata field. Prior to version 0.13.0, the webhook does not define interception rules for these subresources. As a result, if a tenant administrator has permission to modify namespace/status or namespace/finalize, they can successfully perform namespace hijacking. Version 0.13.0 fixes the issue. Another mitigation is to add two subresources (namespaces and snamespaces/status with namespace/finalize within it) to the resources list in the ValidatingWebhookConfiguration rules.
Title Capsule Namespace Hijacking via subresource
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 3.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L'}

Subscriptions

Projectcapsule Capsule
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-01T18:00:43.797Z

Reserved: 2026-03-07T17:53:48.814Z

Link: CVE-2026-30963

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-01T19:16:22.780

Modified: 2026-06-01T19:16:22.780

Link: CVE-2026-30963

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T20:30:17Z

Weaknesses