CVE-2026-55636: Capsule: Incomplete fix of CVE-2026-30963: singular/plural typo leaves namespaces/finalize unprotected

June 17, 2026

Capsule v0.13.2 webhook rules contain namespace/finalize (singular) instead of namespaces/finalize (plural). K8s requires plural. The finalize defense from CVE-2026-30963 fix is absent.

References

github.com/advisories/GHSA-gwxr-7h77-7777
github.com/projectcapsule/capsule/security/advisories/GHSA-gwxr-7h77-7777
nvd.nist.gov/vuln/detail/CVE-2026-55636

Code Behaviors & Features

Detect and mitigate CVE-2026-55636 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →