CVE-2026-22872
Analyzed Analyzed - Analysis Complete
Privilege Escalation in Capsule Kubernetes Controller

Publication date: 2026-06-01

Last updated on: 2026-06-03

Assigner: GitHub, Inc.

Description
Capsule is a multi-tenancy and policy-based framework for Kubernetes. The Capsule Controller runs with cluster-admin privileges. Although the TenantResource RawItems processing logic forcibly sets the namespace, this is ineffective for cluster-scoped resources. Prior to version 0.13.0, tenant administrators can leverage the Controller's elevated privileges to create cluster-scoped resources (such as ClusterRole and ValidatingWebhookConfiguration) that they cannot create directly, achieving cross-tenant privilege escalation and cluster-level attacks. The attack vector has a few limiting factors. This attack requires Tenant Owner privileges and requires Capsule Controller running with cluster-admin privileges (default configuration). Additionally, some clusters may have additional admission controllers blocking malicious resources. Version 0.13.0 patches this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-03
Generated
2026-06-22
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-21
NVD
CVE-2026-22872
EUVD
EUVD-2026-33729
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
projectcapsule capsule to 0.13.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows tenant administrators to escalate privileges and create cluster-scoped resources with elevated permissions, leading to potential full cluster compromise and breaches of tenant isolation.

Such unauthorized access and privilege escalation could result in exposure or unauthorized modification of sensitive data, which may impact compliance with standards and regulations like GDPR and HIPAA that require strict access controls and data protection.

However, the exploit requires specific conditions, including tenant owner privileges and the Capsule Controller running with cluster-admin privileges, which may be mitigated by proper RBAC configurations and admission controllers.

Executive Summary

CVE-2026-22872 is a vulnerability in Capsule, a multi-tenancy and policy-based framework for Kubernetes. The Capsule Controller runs with cluster-admin privileges, and tenant administrators can exploit this by creating cluster-scoped resources (such as ClusterRole and ValidatingWebhookConfiguration) through the TenantResource RawItems processing logic. Although the controller tries to set namespaces for these resources, this does not work for cluster-scoped resources, allowing tenants to escalate privileges across tenants and perform cluster-level attacks.

The vulnerability arises because the controller has excessive privileges, lacks validation of resource scope and type, and runs with cluster-admin rights. This enables tenant owners with TenantResource creation permissions to bypass normal Kubernetes restrictions and create resources they normally could not, leading to cross-tenant privilege escalation.

Impact Analysis

This vulnerability can lead to serious impacts including full cluster compromise and breaches of tenant isolation. Attackers can create malicious cluster-scoped resources that allow them to escalate privileges beyond their tenant boundaries.

  • Cross-tenant privilege escalation
  • Cluster-level attacks
  • Sensitive data theft via malicious webhooks
  • Potential denial-of-service conditions
  • Persistent backdoors that remain even after the malicious TenantResource is deleted
Detection Guidance

Detection of this vulnerability involves identifying if tenant administrators have created cluster-scoped resources such as ClusterRole or ValidatingWebhookConfiguration via TenantResources, which they normally should not be able to create directly.

Since the Capsule Controller runs with cluster-admin privileges and processes TenantResource RawItems, you can audit the cluster for unexpected or unauthorized cluster-scoped resources created by tenant owners.

  • Use kubectl commands to list cluster-scoped resources and check their creation source or annotations:
  • kubectl get clusterroles -o wide
  • kubectl get validatingwebhookconfigurations -o wide
  • Check TenantResource objects for suspicious RawItems that include cluster-scoped resources.
  • kubectl get tenantresources -o yaml | grep -A 10 'clusterRole' # or other cluster-scoped resource keywords

Additionally, review audit logs for creation events of cluster-scoped resources by tenant owners to detect exploitation attempts.

Mitigation Strategies

The primary mitigation step is to upgrade Capsule to version 0.13.0 or later, where this vulnerability is patched.

The patch includes using impersonation for TenantResources to prevent tenant administrators from creating cluster-scoped resources with elevated privileges.

Additionally, platform administrators should review and restrict RBAC permissions to ensure tenant owners do not have unnecessary privileges that could be exploited.

If upgrading immediately is not possible, consider implementing admission controllers or policies that block creation of unauthorized cluster-scoped resources by tenant owners.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22872. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart