CVE-2026-30963: CWE-20: Improper Input Validation in projectcapsule capsule
CVE-2026-30963 is an input validation vulnerability in projectcapsule capsule versions prior to 0. 13. 0. Capsule uses a webhook to validate namespace update requests to prevent namespace hijacking, but it did not intercept updates via the namespace/finalize and namespace/status subresource APIs. This omission allows tenant administrators with permissions on these subresources to perform namespace hijacking. The issue is fixed in version 0. 13. 0 by adding interception rules for these subresources in the webhook configuration.
AI Analysis
Technical Summary
Capsule is a multi-tenancy and policy-based Kubernetes framework that defends against namespace hijacking by validating update requests on namespaces via a webhook. However, before version 0.13.0, the webhook did not intercept update requests made through the namespace/finalize and namespace/status subresource APIs, which can modify namespace metadata. Tenant administrators with permissions to modify these subresources could exploit this to hijack namespaces. Version 0.13.0 addresses this by adding these subresources to the ValidatingWebhookConfiguration rules, preventing unauthorized modifications via these paths.
Potential Impact
The vulnerability allows tenant administrators with permissions on the namespace/finalize or namespace/status subresources to hijack namespaces by modifying namespace metadata fields. The impact is limited to confidentiality, integrity, and availability at a low level, as indicated by the CVSS score of 3.9. There are no known exploits in the wild.
Mitigation Recommendations
Upgrade to projectcapsule version 0.13.0 or later, which includes the fix by adding interception rules for the namespace/finalize and namespace/status subresources in the webhook configuration. Alternatively, manually add these subresources to the ValidatingWebhookConfiguration rules to mitigate the issue. Patch status is not explicitly confirmed by a vendor advisory, but version 0.13.0 is stated to fix the issue.
CVE-2026-30963: CWE-20: Improper Input Validation in projectcapsule capsule
Description
CVE-2026-30963 is an input validation vulnerability in projectcapsule capsule versions prior to 0. 13. 0. Capsule uses a webhook to validate namespace update requests to prevent namespace hijacking, but it did not intercept updates via the namespace/finalize and namespace/status subresource APIs. This omission allows tenant administrators with permissions on these subresources to perform namespace hijacking. The issue is fixed in version 0. 13. 0 by adding interception rules for these subresources in the webhook configuration.
CVSS v3.1
Score 3.9low
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Capsule is a multi-tenancy and policy-based Kubernetes framework that defends against namespace hijacking by validating update requests on namespaces via a webhook. However, before version 0.13.0, the webhook did not intercept update requests made through the namespace/finalize and namespace/status subresource APIs, which can modify namespace metadata. Tenant administrators with permissions to modify these subresources could exploit this to hijack namespaces. Version 0.13.0 addresses this by adding these subresources to the ValidatingWebhookConfiguration rules, preventing unauthorized modifications via these paths.
Potential Impact
The vulnerability allows tenant administrators with permissions on the namespace/finalize or namespace/status subresources to hijack namespaces by modifying namespace metadata fields. The impact is limited to confidentiality, integrity, and availability at a low level, as indicated by the CVSS score of 3.9. There are no known exploits in the wild.
Mitigation Recommendations
Upgrade to projectcapsule version 0.13.0 or later, which includes the fix by adding interception rules for the namespace/finalize and namespace/status subresources in the webhook configuration. Alternatively, manually add these subresources to the ValidatingWebhookConfiguration rules to mitigate the issue. Patch status is not explicitly confirmed by a vendor advisory, but version 0.13.0 is stated to fix the issue.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-07T17:53:48.814Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1de301e29bf47b503a4ebf
Added to database: 6/1/2026, 7:52:33 PM
Last enriched: 6/1/2026, 8:18:36 PM
Last updated: 6/2/2026, 6:21:52 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.