CVE-2026-32737 is an improper access control vulnerability (CWE-284) found in ctfer-io's Romeo tool, a utility designed to measure code coverage for Go applications (version ≥1.20) within GitHub Actions workflows. The vulnerability stems from a mis-written Kubernetes NetworkPolicy named with the prefix 'inter-ns' that was intended to restrict network traffic between namespaces. However, prior to version 0.2.1, this policy allowed a malicious actor to bypass namespace isolation by pivoting from the 'hardened' namespace to any Pod outside it. This misconfiguration breaks the security-by-default principle expected in Kubernetes deployments, enabling lateral movement across namespaces and potentially compromising other workloads in the cluster. The vulnerability requires no privileges or user interaction and can be exploited remotely over the network, making it highly accessible to attackers. The fix introduced in version 0.2.1 removes the problematic inter-ns NetworkPolicy, restoring proper namespace isolation. For environments where immediate upgrading is not feasible, manual deletion of the failing NetworkPolicy (prefixed with 'inter-ns-') in the target namespace is recommended to mitigate the risk. Although no known exploits are reported in the wild yet, the vulnerability's characteristics and high CVSS score (7.9) indicate a significant risk to affected deployments.

This vulnerability allows attackers to bypass Kubernetes namespace isolation, a fundamental security boundary in container orchestration environments. By exploiting this flaw, a malicious actor can move laterally from a hardened namespace to other Pods, potentially accessing sensitive data, injecting malicious code, or disrupting services across the cluster. This compromises confidentiality, integrity, and availability of workloads running within the affected Kubernetes environment. Organizations relying on Romeo for Go application testing in CI/CD pipelines may inadvertently expose their clusters to internal threats or external attackers who gain initial access. The ease of exploitation without authentication or user interaction increases the likelihood of attacks, especially in multi-tenant or shared Kubernetes environments. This can lead to data breaches, service outages, and erosion of trust in DevOps processes. The impact is magnified in large-scale deployments and environments with critical workloads, where lateral movement can cascade into widespread compromise.

1. Upgrade Romeo to version 0.2.1 or later immediately to apply the official fix that removes the misconfigured inter-ns NetworkPolicy. 2. If upgrading is not possible in production, manually identify and delete any NetworkPolicy resources prefixed with 'inter-ns-' in the affected namespaces to restore proper network segmentation. 3. Audit Kubernetes NetworkPolicies regularly to ensure they enforce strict namespace isolation and adhere to the principle of least privilege. 4. Implement network segmentation and micro-segmentation best practices within Kubernetes clusters to limit lateral movement potential. 5. Monitor network traffic between namespaces for unusual patterns that could indicate exploitation attempts. 6. Integrate security checks into CI/CD pipelines to detect misconfigurations in NetworkPolicies before deployment. 7. Educate DevOps and security teams about the risks of improper NetworkPolicy configurations and the importance of timely patching. 8. Consider deploying runtime security tools that can detect and block lateral movement attempts within Kubernetes clusters.