VYPR
Critical severity9.1GHSA Advisory· Published Jun 1, 2026· Updated Jun 3, 2026

CVE-2026-22872

CVE-2026-22872

Description

Capsule is a multi-tenancy and policy-based framework for Kubernetes. The Capsule Controller runs with cluster-admin privileges. Although the TenantResource RawItems processing logic forcibly sets the namespace, this is ineffective for cluster-scoped resources. Prior to version 0.13.0, tenant administrators can leverage the Controller's elevated privileges to create cluster-scoped resources (such as ClusterRole and ValidatingWebhookConfiguration) that they cannot create directly, achieving cross-tenant privilege escalation and cluster-level attacks. The attack vector has a few limiting factors. This attack requires Tenant Owner privileges and requires Capsule Controller running with cluster-admin privileges (default configuration). Additionally, some clusters may have additional admission controllers blocking malicious resources. Version 0.13.0 patches this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/projectcapsule/capsuleGo
< 0.13.00.13.0

Affected products

2
  • Projectcms/CapsuleGHSA2 versions
    < 0.13.0+ 1 more
    • (no CPE)range: < 0.13.0
    • cpe:2.3:a:projectcapsule:capsule:*:*:*:*:*:*:*:*range: <0.13.0

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.