CVE-2026-32768
Published: 20 March 2026
Summary
CVE-2026-32768 is a critical-severity Improper Access Control (CWE-284) vulnerability in Ctfer-Io Chall-Manager. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Cloud Services (T1021.007); ranked at the 17.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved information flow control policies via NetworkPolicies to prevent unauthorized pivoting and lateral movement from a compromised pod to others across namespaces.
Monitors and controls communications at key internal boundaries like Kubernetes namespaces, blocking cross-namespace pod access exploited by the misconfigured NetworkPolicy.
Establishes and maintains secure configuration settings for NetworkPolicies to enforce pod isolation by default, directly addressing the miswritten policy in Chall-Manager deployments.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Misconfigured NetworkPolicy enables cross-namespace pod access from a compromised instance, directly facilitating lateral movement via cloud/container remote services and tool/file transfers across the cluster.
NVD Description
Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. In versions prior to 0.6.5, due to a miswritten NetworkPolicy, a malicious actor can pivot from an instance to any Pod out of the origin namespace.…
more
This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. In the specific case of sdk/kubernetes.Kompose it does not isolate the instances. This issue has been fixed in version 0.6.5.
Deeper analysisAI
CVE-2026-32768 affects Chall-Manager, a platform-agnostic system for starting challenges on demand in response to player requests, specifically in versions prior to 0.6.5. The vulnerability stems from a miswritten NetworkPolicy that fails to properly isolate instances, allowing unauthorized access beyond the expected boundaries. This issue is particularly evident in deployments using sdk/kubernetes.Kompose, where pod isolation is not enforced, violating the security-by-default properties of the deployment program. The flaw is classified under CWE-284 (Improper Access Control) with a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
An attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity and no user interaction required. From a compromised instance within a namespace, the malicious actor can pivot to any pod outside the origin namespace, enabling lateral movement across the cluster. This grants high-impact access to confidentiality, integrity, and availability, potentially compromising the entire environment.
The issue has been addressed in Chall-Manager version 0.6.5, as detailed in the project's security advisory (GHSA-mw24-f3xh-j3qv), release notes, and the fixing commit (dc5ef27dfed2befef7f506ab8ca14d062b0d79c5). Security practitioners should upgrade to v0.6.5 or later to mitigate the risk and restore proper NetworkPolicy enforcement.
Details
- CWE(s)