CVE-2026-22872— Capsule TenantResource RawItems Cluster-Scoped Resource Creation Vulnerability
Affected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| projectcapsule | capsule | < 0.13.0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-22872
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Capsule TenantResource RawItems Cluster-Scoped Resource Creation Vulnerability
Source: NVD (National Vulnerability Database)
Vulnerability Description
Capsule is a multi-tenancy and policy-based framework for Kubernetes. The Capsule Controller runs with cluster-admin privileges. Although the TenantResource RawItems processing logic forcibly sets the namespace, this is ineffective for cluster-scoped resources. Prior to version 0.13.0, tenant administrators can leverage the Controller's elevated privileges to create cluster-scoped resources (such as ClusterRole and ValidatingWebhookConfiguration) that they cannot create directly, achieving cross-tenant privilege escalation and cluster-level attacks. The attack vector has a few limiting factors. This attack requires Tenant Owner privileges and requires Capsule Controller running with cluster-admin privileges (default configuration). Additionally, some clusters may have additional admission controllers blocking malicious resources. Version 0.13.0 patches this issue.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入验证不恰当
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| projectcapsule | capsule | < 0.13.0 | - |
II. Public POCs for CVE-2026-22872
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-22872
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-22872 (1)
Vendor Pages for CVE-2026-22872 (1)
- 🔗 Release v0.13.0 · projectcapsule/capsule · GitHubx_refsource_MISC
IV. Related Vulnerabilities
Same product: capsule
Same vendor: projectcapsule
- CVE-2026-30963
Capsule Namespace Hijacking via subresource - CVE-2025-55205
Capsule tenant owners with "patch namespace" permission can - CVE-2024-39690
Capsule tenant owner with "patch namespace" permission can h - CVE-2023-48312
Authentication bypass using an empty token in capsule-proxy - CVE-2023-46254
Service accounts can see namespaces of other tenants in caps
Same weakness: CWE-20
- CVE-2026-47201
authentik: XML Signature Wrapping in SAML Source ACS allows - CVE-2026-35049
wire-ios has Persistent Remote DoS via Integer Underflow - CVE-2026-45685
OpenTelemetry eBPF Instrumentation: MongoDB parser panics on - CVE-2026-45678
OpenTelemetry eBPF Instrumentation: Postgres BIND parsing ca - CVE-2026-45676
OpenTelemetry eBPF Instrumentation: Unsafe fastelf parsing a
V. Comments for CVE-2026-22872
No comments yet