Skip to main content
Mallory
Back to vulnerabilities
MediumPublic exploit

Privilege Escalation in Capsule TenantResource RawItems Processing

IdentifiersCVE-2026-22872CWE-269

CVE-2026-22872 affects Capsule, a multi-tenancy and policy-based framework for Kubernetes. The vulnerability exists in TenantResource RawItems processing in the Capsule Controller. Although the logic forcibly sets a namespace for submitted resources, that safeguard is ineffective for cluster-scoped Kubernetes resources, which do not belong to a namespace. Because the Capsule Controller runs with cluster-admin privileges by default, a tenant administrator with Tenant Owner privileges can submit cluster-scoped resources such as ClusterRole or ValidatingWebhookConfiguration through this path and have them created by the controller with elevated privileges. This allows a tenant administrator to bypass intended authorization boundaries and perform actions beyond their direct permissions, resulting in cross-tenant and cluster-level compromise. The issue is fixed in Capsule version 0.13.0.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a tenant administrator to abuse the Capsule Controller's cluster-admin privileges to create cluster-scoped Kubernetes resources. This can result in cross-tenant privilege escalation, creation of cluster-wide RBAC objects, deployment of malicious admission webhooks, theft or exposure of sensitive data including Secrets across tenants, cluster-wide denial of service, persistent backdoors, and broader cluster compromise. The impact extends beyond a single tenant and can affect the entire Kubernetes control plane security boundary.

Mitigation

If you can’t patch tonight, do this now.

Until a fixed release can be deployed, restrict or disable TenantResource RawItems usage for untrusted tenant administrators. Remove unnecessary cluster-admin privileges from the Capsule Controller where operationally feasible, or reduce its RBAC scope to the minimum required. Implement admission controls, policy enforcement, or validating restrictions to block creation of cluster-scoped resources through TenantResource. Additional admission controllers may reduce exploitability by rejecting malicious resources.

Remediation

Patch, then assume compromise.

Upgrade Capsule to version 0.13.0 or later, which patches the TenantResource RawItems processing flaw. After upgrading, review existing cluster-scoped resources for unauthorized objects that may have been created through exploitation, including ClusterRoles, ClusterRoleBindings, and webhook configurations. Validate that tenant-facing resource submission paths cannot create cluster-scoped objects.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
ProjectcapsuleCapsuleapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

8 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity8

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-22872
NVD
nvd.nist.gov/vuln/detail/CVE-2026-22872
MITRE CWE · CWE-269
cwe.mitre.org
Vendor Advisory
github.com/projectcapsule/capsule/security/advisories/GHSA-qjjm-7j9w-pw72
Release Notes
github.com/projectcapsule/capsule/releases/tag/v0.13.0