CVE-2026-32768
Kubernetes NetworkPolicy Bypass in Chall-Manager Enables Lateral Movement
Publication date: 2026-03-20
Last updated on: 2026-04-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ctfer-io | chall-manager | to 0.6.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32768 is a high-severity vulnerability in Chall-Manager versions prior to 0.6.5 caused by a misconfigured Kubernetes NetworkPolicy. This misconfiguration allows a malicious actor to pivot from a compromised instance in one namespace to any Pod in a different namespace, breaking the expected security-by-default isolation.
Specifically, the sdk/kubernetes.Kompose component does not properly isolate instances, enabling lateral movement across namespaces without requiring privileges, user interaction, or special conditions.
The root cause is improper access control (CWE-284), where access restrictions are missing or incorrectly implemented, allowing unauthorized access across namespaces.
How can this vulnerability impact me? :
This vulnerability enables an attacker who has compromised an instance in one namespace to move laterally to any Pod in other namespaces, potentially gaining unauthorized access to resources across the system.
Although the initial exploit does not directly cause loss of confidentiality, integrity, or availability, the subsequent lateral movement can lead to significant damage affecting these security properties.
Because exploitation requires no privileges or user interaction and can be performed remotely with low complexity, the risk of compromise is high.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability arises from a misconfigured Kubernetes NetworkPolicy that allows lateral movement across namespaces. Detection involves inspecting the NetworkPolicy resources in your Kubernetes cluster to identify any invalid or overly permissive policies, especially those prefixed with "inter-ns-".'}, {'type': 'paragraph', 'content': 'You can use kubectl commands to list and examine NetworkPolicies in the affected namespaces. For example:'}, {'type': 'list_item', 'content': 'kubectl get networkpolicy -A'}, {'type': 'list_item', 'content': 'kubectl describe networkpolicy <networkpolicy-name> -n <namespace>'}, {'type': 'paragraph', 'content': 'Look specifically for NetworkPolicies that do not properly restrict traffic between namespaces or that have names starting with "inter-ns-". Additionally, if you have namespaces matching the pattern "cm-target-*", check for NetworkPolicies in those namespaces.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade Chall-Manager to version 0.6.5 or later, where the NetworkPolicy issue has been fixed.'}, {'type': 'paragraph', 'content': 'If immediate upgrade is not feasible, a recommended workaround is to manually delete the problematic NetworkPolicy resources that are prefixed with "inter-ns-" in the affected namespaces.'}, {'type': 'paragraph', 'content': 'There is also a provided script that automates deletion of these NetworkPolicies for namespaces matching the pattern "cm-target-*".'}, {'type': 'paragraph', 'content': 'These steps help restore proper namespace isolation and prevent lateral movement between pods across namespaces.'}] [1]