CVE-2026-55636

MEDIUMPre-NVD 5.75.7
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 5.7 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
5.7
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: CVSS: 5.7Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Capsule: Incomplete fix of CVE-2026-30963: singular/plural typo leaves namespaces/finalize unprotected

Summary

Capsule v0.13.2 webhook rules contain namespace/finalize (singular) instead of namespaces/finalize (plural). K8s requires plural. The finalize defense from CVE-2026-30963 fix is absent.

Details

PUT to /api/v1/namespaces//finalize has resource=namespaces (plural). The singular rule never matches. matchPolicy: Equivalent does not compensate.

PoC

Confirmed on kind + Capsule v0.13.2. alice (non-admin with namespaces/finalize RBAC): kubectl label --as=alice = DENIED (control). kubectl replace --raw /finalize --as=alice = 200 OK (bypass). Tenant label changed.

Impact

Namespace tenant-label hijack. Same threat model as CVE-2026-30963. One-char fix: namespace/finalize -> namespaces/finalize. The CVE-2026-30963 fix in Capsule v0.13.2 added subresource entries to the namespace validating webhook, but charts/capsule/templates/configuration.yaml line 105 contains a singular/plural typo: namespace/finalize instead of namespaces/finalize. Kubernetes webhook rules require the plural resource name. The finalize subresource defense is entirely absent.

Details

In Kubernetes admission webhooks, rules.resources matches against the plural resource name. A PUT to /api/v1/namespaces//finalize has resource=namespaces (plural). The rule namespace/finalize (singular) never matches any real API request.

The matchPolicy: Equivalent setting does NOT compensate (it handles API group/version variations, not resource name typos).

PoC

Confirmed on kind cluster + Capsule v0.13.2 (Helm chart):
# Setup: alice with namespaces/finalize RBAC
kubectl apply -f - < /tmp/ns.json

modify tenant label to "hijacked"

kubectl replace --raw "/api/v1/namespaces/oil-prod/finalize" -f /tmp/ns_modified.json --as=alice

200 OK - tenant label changed

Impact

Namespace tenant-label hijack via the finalize subresource bypass. Same threat model as CVE-2026-30963. One-character fix needed: namespace/finalize -> namespaces/finalize.

CVSS v3
5.7
EG Score
5.7(low)
EPSS
KEV
Not listed

Published

June 17, 2026

Last Modified

June 17, 2026

Vendor Advisories for CVE-2026-55636(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
Go(1)
PackageVulnerable rangeFixed inDependents
github.com/projectcapsule/capsule0.13.6

Data Freshness Timeline

(refreshed 6× in last 7d / 18× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-06 10:30 UTCEG score recompute
  2. 2026-07-05 06:59 UTCEG score recompute
  3. 2026-07-04 04:43 UTCEG score recompute
  4. 2026-07-03 02:01 UTCEG score recompute
  5. 2026-07-01 23:47 UTCEG score recompute
  6. 2026-06-30 21:34 UTCEG score recompute
  7. 2026-06-29 19:20 UTCEG score recompute
  8. 2026-06-28 17:08 UTCEG score recompute
  9. 2026-06-27 14:55 UTCEG score recompute
  10. 2026-06-26 12:42 UTCEG score recompute
  11. 2026-06-25 10:29 UTCEG score recompute
  12. 2026-06-24 08:16 UTCEG score recompute
  13. 2026-06-23 06:03 UTCEG score recompute
  14. 2026-06-22 03:42 UTCEG score recompute
  15. 2026-06-21 01:29 UTCEG score recompute
  16. 2026-06-19 23:16 UTCEG score recompute
  17. 2026-06-18 21:03 UTCEG score recompute
  18. 2026-06-17 18:46 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-55636?
CVE-2026-55636 is a medium vulnerability published on June 17, 2026. Capsule: Incomplete fix of CVE-2026-30963: singular/plural typo leaves namespaces/finalize unprotected Summary Capsule v0.13.2 webhook rules contain namespace/finalize (singular) instead of namespaces/finalize (plural). K8s requires plural. The finalize defense from CVE-2026-30963 fix is absent.…
When was CVE-2026-55636 disclosed?
CVE-2026-55636 was first published in the National Vulnerability Database on June 17, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-55636?
CVE-2026-55636 has a CVSS v4.0 base score of 5.7 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-55636?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-55636, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-55636

Explore →

Is Your Infrastructure Affected by CVE-2026-55636?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.