Cyber Resilience

CVE-2026-32768

High

Published: 20 March 2026

Published
20 March 2026
Modified
08 April 2026
KEV Added
Patch
CVSS Score v4 7.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0028 20.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32768 is a high-severity Improper Access Control (CWE-284) vulnerability in Ctfer-Io Chall-Manager. Its CVSS base score is 7.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Cloud Services (T1021.007); ranked at the 20.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-32768 affects Chall-Manager, a platform-agnostic system for starting challenges on demand in response to player requests, specifically in versions prior to 0.6.5. The vulnerability stems from a miswritten NetworkPolicy that fails to properly isolate instances, allowing unauthorized access beyond the expected boundaries. This issue is particularly evident in deployments using sdk/kubernetes.Kompose, where pod isolation is not enforced, violating the security-by-default properties of the deployment program. The flaw is classified under CWE-284 (Improper Access Control) with a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

An attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity and no user interaction required. From a compromised instance within a namespace, the malicious actor can pivot to any pod outside the origin namespace, enabling lateral movement across the cluster. This grants high-impact access to confidentiality, integrity, and availability, potentially compromising the entire environment.

The issue has been addressed in Chall-Manager version 0.6.5, as detailed in the project's security advisory (GHSA-mw24-f3xh-j3qv), release notes, and the fixing commit (dc5ef27dfed2befef7f506ab8ca14d062b0d79c5). Security practitioners should upgrade to v0.6.5 or later to mitigate the risk and restore proper NetworkPolicy enforcement.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. In versions prior to 0.6.5, due to a miswritten NetworkPolicy, a malicious actor can pivot from an instance to any Pod out of the origin namespace.…

more

This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. In the specific case of sdk/kubernetes.Kompose it does not isolate the instances. This issue has been fixed in version 0.6.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1021.007 Cloud Services Lateral Movement
Adversaries may log into accessible cloud services within a compromised environment using [Valid Accounts](https://attack.
T1570 Lateral Tool Transfer Lateral Movement
Adversaries may transfer tools or other files between systems in a compromised environment.
Why these techniques?

Misconfigured NetworkPolicy enables cross-namespace pod access from a compromised instance, directly facilitating lateral movement via cloud/container remote services and tool/file transfers across the cluster.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-53632Same product: Ctfer-Io Chall-Manager
CVE-2025-53633Same product: Ctfer-Io Chall-Manager
CVE-2026-32737Same vendor: Ctfer-Io
CVE-2026-32805Same vendor: Ctfer-Io
CVE-2026-32769Shared CWE-284
CVE-2026-20628Shared CWE-284
CVE-2024-12368Shared CWE-284
CVE-2026-7198Shared CWE-284
CVE-2026-46818Shared CWE-284
CVE-2025-57130Shared CWE-284

Affected Assets

ctfer-io
chall-manager
≤ 0.6.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved information flow control policies via NetworkPolicies to prevent unauthorized pivoting and lateral movement from a compromised pod to others across namespaces.

prevent

Monitors and controls communications at key internal boundaries like Kubernetes namespaces, blocking cross-namespace pod access exploited by the misconfigured NetworkPolicy.

prevent

Establishes and maintains secure configuration settings for NetworkPolicies to enforce pod isolation by default, directly addressing the miswritten policy in Chall-Manager deployments.

References