CVE-2026-30963

Name of the Vulnerable Software and Affected Versions Capsule versions prior to 0.13.0

Description Capsule uses a webhook to validate update requests targeting namespaces to prevent namespace hijacking. However, the webhook fails to define interception rules for the 'namespace/finalize' and 'namespace/status' subresource APIs. Since these APIs can modify the metadata field of a namespace, a tenant administrator with permissions to modify these subresources can successfully perform namespace hijacking by altering the ownerReferences variable.

Recommendations Update to version 0.13.0. As a temporary mitigation, add the 'namespaces', 'namespaces/status', and 'namespace/finalize' subresources to the resources list in the ValidatingWebhookConfiguration rules.