CVE-2026-32768
Published: 20 March 2026
Summary
CVE-2026-32768 is a high-severity Improper Access Control (CWE-284) vulnerability in Ctfer-Io Chall-Manager. Its CVSS base score is 7.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Cloud Services (T1021.007); ranked at the 20.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2026-32768 affects Chall-Manager, a platform-agnostic system for starting challenges on demand in response to player requests, specifically in versions prior to 0.6.5. The vulnerability stems from a miswritten NetworkPolicy that fails to properly isolate instances, allowing unauthorized access beyond the expected boundaries. This issue is particularly evident in deployments using sdk/kubernetes.Kompose, where pod isolation is not enforced, violating the security-by-default properties of the deployment program. The flaw is classified under CWE-284 (Improper Access Control) with a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
An attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity and no user interaction required. From a compromised instance within a namespace, the malicious actor can pivot to any pod outside the origin namespace, enabling lateral movement across the cluster. This grants high-impact access to confidentiality, integrity, and availability, potentially compromising the entire environment.
The issue has been addressed in Chall-Manager version 0.6.5, as detailed in the project's security advisory (GHSA-mw24-f3xh-j3qv), release notes, and the fixing commit (dc5ef27dfed2befef7f506ab8ca14d062b0d79c5). Security practitioners should upgrade to v0.6.5 or later to mitigate the risk and restore proper NetworkPolicy enforcement.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13571
Vulnerability details
Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. In versions prior to 0.6.5, due to a miswritten NetworkPolicy, a malicious actor can pivot from an instance to any Pod out of the origin namespace.…
more
This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. In the specific case of sdk/kubernetes.Kompose it does not isolate the instances. This issue has been fixed in version 0.6.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Misconfigured NetworkPolicy enables cross-namespace pod access from a compromised instance, directly facilitating lateral movement via cloud/container remote services and tool/file transfers across the cluster.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved information flow control policies via NetworkPolicies to prevent unauthorized pivoting and lateral movement from a compromised pod to others across namespaces.
Monitors and controls communications at key internal boundaries like Kubernetes namespaces, blocking cross-namespace pod access exploited by the misconfigured NetworkPolicy.
Establishes and maintains secure configuration settings for NetworkPolicies to enforce pod isolation by default, directly addressing the miswritten policy in Chall-Manager deployments.