Cross-Tenant Privilege Escalation in Capsule Kubernetes Framework
CVE-2026-22872

6.9MEDIUM

Key Information:

Vendor: Projectcapsule
Status: Capsule
Vendor: CVE Published:; 1 June 2026

🔔 Create Projectcapsule Vulnerability Alert

What is CVE-2026-22872?

Capsule, a multi-tenancy and policy-based framework for Kubernetes, has a vulnerability allowing tenant administrators to exploit the Capsule Controller's elevated privileges. This issue, present in versions prior to 0.13.0, permits the creation of cluster-scoped resources, such as ClusterRole and ValidatingWebhookConfiguration, which would normally be restricted. The misuse of these capabilities can lead to cross-tenant privilege escalation, potentially enabling malicious actors to execute cluster-level attacks. It is important to note that this vulnerability requires Tenant Owner privileges and that certain configurations may have additional admission controllers in place to mitigate the threat. Upgrade to version 0.13.0 to resolve this critical issue.

Affected Version(s)

capsule < 0.13.0

References

https://github.com/projectcapsule/capsule/security/adviso...

x_refsource_CONFIRM

https://github.com/projectcapsule/capsule/releases/tag/v0...

x_refsource_MISC

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
Jan 12, 2026

CVE-2026-22872 Data

JSON