hypeorhack
← back

CVE-2026-22872

CRITICAL · 9.1 EPSS 0.6%
hype MOSTLY HYPE · 28 hack

High CVSS but zero PoC, no KEV, low EPSS, recycled social posts only.

What: Capsule Kubernetes multi-tenancy controller privilege escalation (CVE-2026-22872, CVSS 9.1). Tenant owners can create cluster-scoped resources via controller's cluster-admin privileges, bypassing namespace restrictions and achieving cross-tenant privilege escalation.

Why it matters: Patch available (v0.13.0) and real fix deployed; requires Tenant Owner role + default cluster-admin configuration to exploit. Not yet KEV-listed; no public PoC or in-the-wild exploitation reported. CVSS is high but EPSS extremely low (0.28%), signaling limited real-world weaponization probability.

Where it's seen: Identical recycled alert posts across Bluesky with no original analysis, PoC links, or defender triage questions. Pure advisory amplification without exploitation evidence or vendor urgency signals.

RISK: HIGH — Requires elevated tenant privileges and default config; patch available but adoption unknown.

Generated by claude-haiku-4-5 from public posts and authoritative metadata. AI can make mistakes — verify against vendor advisories before acting. 6/13/2026, 2:04:35 PM

Description

Capsule is a multi-tenancy and policy-based framework for Kubernetes. The Capsule Controller runs with cluster-admin privileges. Although the TenantResource RawItems processing logic forcibly sets the namespace, this is ineffective for cluster-scoped resources. Prior to version 0.13.0, tenant administrators can leverage the Controller's elevated privileges to create cluster-scoped resources (such as ClusterRole and ValidatingWebhookConfiguration) that they cannot create directly, achieving cross-tenant privilege escalation and cluster-level attacks. The attack vector has a few limiting factors. This attack requires Tenant Owner privileges and requires Capsule Controller running with cluster-admin privileges (default configuration). Additionally, some clusters may have additional admission controllers blocking malicious resources. Version 0.13.0 patches this issue.

CVSS 3.1 breakdown

Exploitability 2.3 · Impact 6.0
vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack vector
Network
Complexity
Low
Privileges required
High
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Affected versions

  • projectcapsule/capsule
    • < 0.13.0

Weaknesses

Vendors

  • projectcapsule

Products

  • capsule