CVE-2026-32737
Published: 18 March 2026
Summary
CVE-2026-32737 is a critical-severity Improper Access Control (CWE-284) vulnerability in Ctfer-Io Romeo. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Lateral Tool Transfer (T1570); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for controlling information flows between the hardened namespace and external pods, directly mitigating the misconfigured NetworkPolicy enabling lateral movement.
Monitors and controls communications at key internal boundaries within the Kubernetes cluster, preventing unauthorized pivoting from the hardened namespace to other pods.
Establishes and enforces secure configuration settings for NetworkPolicies to isolate namespaces properly, addressing the mis-written inter-ns policy at the root of the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Misconfigured NetworkPolicy enables direct container-to-container network access, facilitating lateral movement via T1570 (Lateral Tool Transfer) and T1210 (Exploitation of Remote Services) across Pods.
NVD Description
Romeo gives the capability to reach high code coverage of Go ≥1.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.1, due to a mis-written NetworkPolicy, a malicious actor can…
more
pivot from the "hardened" namespace to any Pod out of it. This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. Removing the `inter-ns` NetworkPolicy patches the vulnerability in version 0.2.1. If updates are not possible in production environments, manually delete `inter-ns` and update as soon as possible. Given one's context, delete the failing network policy that should be prefixed by `inter-ns-` in the target namespace.
Deeper analysisAI
CVE-2026-32737 is a critical vulnerability in Romeo, a tool designed to achieve high code coverage for Go applications version 1.20 and later by measuring coverage during functional and integration tests in GitHub Actions. In versions prior to 0.2.1, the vulnerability stems from a miswritten NetworkPolicy that fails to properly isolate the "hardened" namespace, allowing unauthorized network access beyond its boundaries. This issue, linked to CWE-284 (Improper Access Control), carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating severe potential for remote exploitation with full confidentiality, integrity, and availability impacts.
A malicious actor with network access can exploit this from the hardened namespace to pivot laterally to any Pod outside it, bypassing Kubernetes network isolation controls. Exploitation requires no privileges or user interaction, enabling attackers who compromise the initial namespace—such as through a supply chain attack on the GitHub Actions workflow—to achieve container-to-container lateral movement across the cluster. This undermines the security-by-default posture of Romeo deployments, potentially leading to full cluster compromise depending on the target's Pod configurations and privileges.
The patch in Romeo version 0.2.1 removes the flawed `inter-ns` NetworkPolicy to restore proper isolation. For production environments unable to update immediately, manually delete the `inter-ns`-prefixed NetworkPolicy in the target namespace as a workaround, followed by an upgrade at the earliest opportunity. Details are available in the GitHub security advisory (GHSA-fgm3-q9r5-43v9) and the fixing commit (3bb5e9d9ce1199dfbb90fef8ad79ebdeb0bc5e78).
Details
- CWE(s)