Cyber Resilience

CVE-2026-32769

HighPublic PoC

Published: 20 March 2026

Published
20 March 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0050 38.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32769 is a high-severity Improper Access Control (CWE-284) vulnerability in Ctfer Fullchain. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 38.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-32769 affects Fullchain, an umbrella project for deploying a ready-to-use CTF platform, specifically in versions prior to 0.1.1. The vulnerability stems from a mis-written Kubernetes NetworkPolicy intended to enforce inter-namespace (inter-ns) traffic restrictions. This flaw breaks the security-by-default property of the deployment, enabling unauthorized lateral movement within the cluster. It is rated with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-284 (Improper Access Control).

A malicious actor who first subverts an application within a namespace can exploit the flawed NetworkPolicy to pivot and access any Pod outside the origin namespace. This requires initial compromise of an application Pod but allows subsequent network access without further authentication, potentially leading to high-impact confidentiality, integrity, and availability violations across the cluster.

The issue was addressed in Fullchain version 0.1.1, as detailed in the project's GitHub security advisory (GHSA-hxm7-9q36-c77f), release notes, and the fixing commit. As a workaround, administrators can delete the failing NetworkPolicy resource prefixed with "inter-ns-" in the target namespace.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Fullchain is an umbrella project for deploying a ready-to-use CTF platform. In versions prior to 0.1.1, due to a mis-written NetworkPolicy, a malicious actor can pivot from a subverted application to any Pod out of the origin namespace. The flawed…

more

inter-ns NetworkPolicy breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. This issue has been fixed in version 0.1.1. To workaround, delete the failing network policy that should be prefixed by inter-ns- in the target namespace.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1570 Lateral Tool Transfer Lateral Movement
Adversaries may transfer tools or other files between systems in a compromised environment.
Why these techniques?

Misconfigured Kubernetes NetworkPolicy directly allows post-compromise network access between namespaces/pods, enabling unauthorized lateral movement (T1210 Exploitation of Remote Services) and tool/file transfers across the cluster (T1570 Lateral Tool Transfer) without further authentication.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32737Shared CWE-284
CVE-2024-23920Shared CWE-284
CVE-2026-32771Same vendor: Ctfer
CVE-2025-1260Shared CWE-284
CVE-2026-0386Shared CWE-284
CVE-2026-23595Shared CWE-284
CVE-2026-21667Shared CWE-284
CVE-2026-21262Shared CWE-284
CVE-2025-54968Shared CWE-284
CVE-2025-48983Shared CWE-284

Affected Assets

ctfer
fullchain
≤ 0.1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for controlling information flows between Kubernetes namespaces, directly preventing lateral movement enabled by the flawed inter-ns NetworkPolicy.

prevent

Monitors and controls communications at internal system boundaries such as Kubernetes namespaces, mitigating unauthorized pod-to-pod pivoting across namespaces.

prevent

Establishes secure configuration settings for network policies to avoid misconfigurations that break inter-namespace isolation.

References