CVE-2026-22872
Severity CVSS v4.0:
MEDIUM
Type:
CWE-20
Input Validation
Publication date:
01/06/2026
Last modified:
03/06/2026
Description
Capsule is a multi-tenancy and policy-based framework for Kubernetes. The Capsule Controller runs with cluster-admin privileges. Although the TenantResource RawItems processing logic forcibly sets the namespace, this is ineffective for cluster-scoped resources. Prior to version 0.13.0, tenant administrators can leverage the Controller's elevated privileges to create cluster-scoped resources (such as ClusterRole and ValidatingWebhookConfiguration) that they cannot create directly, achieving cross-tenant privilege escalation and cluster-level attacks. The attack vector has a few limiting factors. This attack requires Tenant Owner privileges and requires Capsule Controller running with cluster-admin privileges (default configuration). Additionally, some clusters may have additional admission controllers blocking malicious resources. Version 0.13.0 patches this issue.
Impact
Base Score 4.0
6.90
Severity 4.0
MEDIUM
Base Score 3.x
9.10
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:projectcapsule:capsule:*:*:*:*:*:*:*:* | 0.13.0 (excluding) |
To consult the complete list of CPE names with products and versions, see this page



