CVE-2026-32769
Received Received - Intake
NetworkPolicy Misconfiguration in Fullchain Enables Lateral Movement

Publication date: 2026-03-20

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
Fullchain is an umbrella project for deploying a ready-to-use CTF platform. In versions prior to 0.1.1, due to a mis-written NetworkPolicy, a malicious actor can pivot from a subverted application to any Pod out of the origin namespace. The flawed inter-ns NetworkPolicy breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. This issue has been fixed in version 0.1.1. To workaround, delete the failing network policy that should be prefixed by inter-ns- in the target namespace.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32769
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ctfer fullchain to 0.1.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-32769 is a vulnerability in the Fullchain project, which is a platform for deploying Capture The Flag (CTF) environments. In versions prior to 0.1.1, a misconfigured Kubernetes NetworkPolicy allowed a malicious actor who compromised an application within one namespace to pivot and access Pods in other namespaces. This misconfiguration breaks the expected security-by-default isolation between namespaces, enabling lateral movement across the cluster.'}, {'type': 'paragraph', 'content': 'The issue stems from an invalid NetworkPolicy prefixed with "inter-ns-" that failed to restrict cross-namespace Pod communication properly. This flaw allows attackers to bypass intended network segmentation controls within Kubernetes clusters.'}] [2]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have a significant impact by allowing an attacker who has compromised an application in one namespace to move laterally to other namespaces within the Kubernetes cluster. Although the initial compromise requires no privileges or user interaction and has low attack complexity, the subsequent impact on confidentiality, integrity, and availability is high.'}, {'type': 'list_item', 'content': 'Lateral movement across namespaces, potentially compromising other Pods and services.'}, {'type': 'list_item', 'content': 'Bypassing network segmentation and isolation controls, increasing the attack surface.'}, {'type': 'list_item', 'content': "Potential widespread compromise of the cluster's resources and data."}] [2]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of Kubernetes NetworkPolicies in your namespaces that have names prefixed with "inter-ns-". These policies are misconfigured and allow cross-namespace Pod communication, which should be restricted.'}, {'type': 'paragraph', 'content': 'You can use kubectl commands to list and inspect these NetworkPolicies to identify if the vulnerable policy exists.'}, {'type': 'list_item', 'content': 'kubectl get networkpolicies --all-namespaces | grep inter-ns-'}, {'type': 'list_item', 'content': 'kubectl describe networkpolicy inter-ns-<policy-name> -n <namespace>'}] [2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to delete any NetworkPolicies in your namespaces that have names prefixed with "inter-ns-", as these are the misconfigured policies allowing lateral movement.'}, {'type': 'paragraph', 'content': 'If possible, update the fullchain project to version 0.1.1 or later, where the problematic NetworkPolicy has been removed.'}, {'type': 'list_item', 'content': 'kubectl delete networkpolicy -n <namespace> -l name=inter-ns-'}, {'type': 'list_item', 'content': 'Upgrade fullchain to version 0.1.1 or later.'}] [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32769. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart