CVE-2026-22872
Privilege Escalation in Capsule Kubernetes Controller
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| projectcapsule | capsule | 0.13.0 |
| capsule | controller | to 0.13.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows tenant administrators to escalate privileges and create cluster-scoped resources with elevated permissions, leading to potential full cluster compromise and breaches of tenant isolation.
Such unauthorized access and privilege escalation could result in exposure or unauthorized modification of sensitive data, which may impact compliance with standards and regulations like GDPR and HIPAA that require strict access controls and data protection.
However, the exploit requires specific conditions, including tenant owner privileges and the Capsule Controller running with cluster-admin privileges, which may be mitigated by proper RBAC configurations and admission controllers.
Can you explain this vulnerability to me?
CVE-2026-22872 is a vulnerability in Capsule, a multi-tenancy and policy-based framework for Kubernetes. The Capsule Controller runs with cluster-admin privileges, and tenant administrators can exploit this by creating cluster-scoped resources (such as ClusterRole and ValidatingWebhookConfiguration) through the TenantResource RawItems processing logic. Although the controller tries to set namespaces for these resources, this does not work for cluster-scoped resources, allowing tenants to escalate privileges across tenants and perform cluster-level attacks.
The vulnerability arises because the controller has excessive privileges, lacks validation of resource scope and type, and runs with cluster-admin rights. This enables tenant owners with TenantResource creation permissions to bypass normal Kubernetes restrictions and create resources they normally could not, leading to cross-tenant privilege escalation.
How can this vulnerability impact me? :
This vulnerability can lead to serious impacts including full cluster compromise and breaches of tenant isolation. Attackers can create malicious cluster-scoped resources that allow them to escalate privileges beyond their tenant boundaries.
- Cross-tenant privilege escalation
- Cluster-level attacks
- Sensitive data theft via malicious webhooks
- Potential denial-of-service conditions
- Persistent backdoors that remain even after the malicious TenantResource is deleted
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if tenant administrators have created cluster-scoped resources such as ClusterRole or ValidatingWebhookConfiguration via TenantResources, which they normally should not be able to create directly.
Since the Capsule Controller runs with cluster-admin privileges and processes TenantResource RawItems, you can audit the cluster for unexpected or unauthorized cluster-scoped resources created by tenant owners.
- Use kubectl commands to list cluster-scoped resources and check their creation source or annotations:
- kubectl get clusterroles -o wide
- kubectl get validatingwebhookconfigurations -o wide
- Check TenantResource objects for suspicious RawItems that include cluster-scoped resources.
- kubectl get tenantresources -o yaml | grep -A 10 'clusterRole' # or other cluster-scoped resource keywords
Additionally, review audit logs for creation events of cluster-scoped resources by tenant owners to detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Capsule to version 0.13.0 or later, where this vulnerability is patched.
The patch includes using impersonation for TenantResources to prevent tenant administrators from creating cluster-scoped resources with elevated privileges.
Additionally, platform administrators should review and restrict RBAC permissions to ensure tenant owners do not have unnecessary privileges that could be exploited.
If upgrading immediately is not possible, consider implementing admission controllers or policies that block creation of unauthorized cluster-scoped resources by tenant owners.