CVE-2026-32769
Published: 20 March 2026
Summary
CVE-2026-32769 is a critical-severity Improper Access Control (CWE-284) vulnerability in Ctfer Fullchain. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for controlling information flows between Kubernetes namespaces, directly preventing lateral movement enabled by the flawed inter-ns NetworkPolicy.
Monitors and controls communications at internal system boundaries such as Kubernetes namespaces, mitigating unauthorized pod-to-pod pivoting across namespaces.
Establishes secure configuration settings for network policies to avoid misconfigurations that break inter-namespace isolation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Misconfigured Kubernetes NetworkPolicy directly allows post-compromise network access between namespaces/pods, enabling unauthorized lateral movement (T1210 Exploitation of Remote Services) and tool/file transfers across the cluster (T1570 Lateral Tool Transfer) without further authentication.
NVD Description
Fullchain is an umbrella project for deploying a ready-to-use CTF platform. In versions prior to 0.1.1, due to a mis-written NetworkPolicy, a malicious actor can pivot from a subverted application to any Pod out of the origin namespace. The flawed…
more
inter-ns NetworkPolicy breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. This issue has been fixed in version 0.1.1. To workaround, delete the failing network policy that should be prefixed by inter-ns- in the target namespace.
Deeper analysisAI
CVE-2026-32769 affects Fullchain, an umbrella project for deploying a ready-to-use CTF platform, specifically in versions prior to 0.1.1. The vulnerability stems from a mis-written Kubernetes NetworkPolicy intended to enforce inter-namespace (inter-ns) traffic restrictions. This flaw breaks the security-by-default property of the deployment, enabling unauthorized lateral movement within the cluster. It is rated with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-284 (Improper Access Control).
A malicious actor who first subverts an application within a namespace can exploit the flawed NetworkPolicy to pivot and access any Pod outside the origin namespace. This requires initial compromise of an application Pod but allows subsequent network access without further authentication, potentially leading to high-impact confidentiality, integrity, and availability violations across the cluster.
The issue was addressed in Fullchain version 0.1.1, as detailed in the project's GitHub security advisory (GHSA-hxm7-9q36-c77f), release notes, and the fixing commit. As a workaround, administrators can delete the failing NetworkPolicy resource prefixed with "inter-ns-" in the target namespace.
Details
- CWE(s)