CVE-2026-30963
Analyzed Analyzed - Analysis Complete
Namespace Hijacking via Subresource API in Capsule

Publication date: 2026-06-01

Last updated on: 2026-06-03

Assigner: GitHub, Inc.

Description
Capsule is a multi-tenancy and policy-based framework for Kubernetes. To defend against namespace hijacking achieved through update/patch operations on namespaces, Capsule uses a webhook to validate update requests targeting namespaces. However, in Kubernetes, the namespace/finalize and namespace/status subresource APIs can also modify various fields of a namespace, including the metadata field. Prior to version 0.13.0, the webhook does not define interception rules for these subresources. As a result, if a tenant administrator has permission to modify namespace/status or namespace/finalize, they can successfully perform namespace hijacking. Version 0.13.0 fixes the issue. Another mitigation is to add two subresources (namespaces and snamespaces/status with namespace/finalize within it) to the resources list in the ValidatingWebhookConfiguration rules.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-03
Generated
2026-06-22
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-30963
EUVD
EUVD-2026-33739
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
projectcapsule capsule to 0.13.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows namespace hijacking by tenant administrators with certain permissions, potentially enabling unauthorized access or control over namespaces belonging to other tenants.

Such unauthorized access could lead to exposure or modification of sensitive data managed within those namespaces, which may impact compliance with data protection regulations like GDPR or HIPAA that require strict access controls and data integrity.

However, the vulnerability requires high privileges and user interaction, and its impact on confidentiality, integrity, and availability is rated as limited (CVSS score 3.9).

Mitigations include updating the webhook configuration to intercept relevant subresource API calls and restricting permissions, which can help maintain compliance by preventing unauthorized namespace modifications.

Detection Guidance

This vulnerability can be detected by checking if the Capsule ValidatingWebhookConfiguration includes interception rules for the subresources `namespaces/status` and `namespace/finalize`. If these subresources are not included, the system is vulnerable.

Additionally, you can audit Kubernetes RBAC permissions to identify if any tenant administrators have permissions to patch `namespaces/status` or `namespace/finalize` subresources, which would allow exploitation.

Suggested commands to detect potential exposure:

  • Check the ValidatingWebhookConfiguration for Capsule to see if it includes the required subresources:
  • kubectl get validatingwebhookconfiguration capsule-webhook -o yaml | grep -A 10 rules
  • Look for `namespaces/status` and `namespace/finalize` in the `resources` list under the webhook rules.
  • Audit RBAC permissions for tenant administrators with patch access to these subresources:
  • kubectl get clusterrolebindings,rolebindings --all-namespaces -o yaml | grep -B 5 -A 5 'patch.*namespaces/status\|patch.*namespace/finalize'
  • Or more specifically, check roles with permissions on these subresources:
  • kubectl get clusterrole <role-name> -o yaml | grep -A 10 rules

By combining these checks, you can detect if your system is vulnerable to namespace hijacking via this CVE.

Executive Summary

This vulnerability affects Capsule, a multi-tenancy and policy-based framework for Kubernetes. Capsule uses a webhook to validate update requests on namespaces to prevent namespace hijacking. However, before version 0.13.0, the webhook did not intercept update requests made through the namespace/finalize and namespace/status subresource APIs, which can also modify namespace metadata. If a tenant administrator has permission to modify these subresources, they can exploit this gap to perform namespace hijacking.

Impact Analysis

This vulnerability allows a tenant administrator with certain permissions to hijack namespaces by modifying namespace metadata through subresource APIs that were not properly validated. This can lead to unauthorized changes within Kubernetes namespaces, potentially compromising isolation between tenants, leading to data leakage, unauthorized access, or disruption of services.

Mitigation Strategies

To mitigate this vulnerability, upgrade Capsule to version 0.13.0 or later, which includes a fix for the issue.

Alternatively, add the two subresources namespaces and namespaces/status (with namespace/finalize within it) to the resources list in the ValidatingWebhookConfiguration rules to ensure the webhook intercepts update requests targeting these subresources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30963. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart