CVE-2026-32769 is an improper access control vulnerability (CWE-284) affecting the ctfer-io fullchain CTF platform project in versions before 0.1.1. The root cause is a mis-written Kubernetes NetworkPolicy that governs inter-namespace traffic. NetworkPolicies are intended to restrict pod-to-pod communication to enforce security boundaries within Kubernetes clusters. However, the flawed policy in fullchain allows pods compromised in one namespace to communicate with pods in other namespaces, violating the principle of least privilege and security-by-default expectations. This lateral movement capability can enable attackers to escalate their access, move stealthily within the cluster, and potentially access sensitive data or disrupt services. The vulnerability has a CVSS 4.0 score of 7.1 (high severity), reflecting network attack vector, low attack complexity, no privileges or user interaction required, but with high scope and impact on confidentiality, integrity, and availability. The issue was publicly disclosed on March 20, 2026, and fixed in version 0.1.1 by correcting the NetworkPolicy configuration. Until patching, deleting the faulty inter-ns- prefixed NetworkPolicy in affected namespaces can serve as a temporary mitigation.

This vulnerability enables lateral movement within Kubernetes clusters running fullchain versions prior to 0.1.1, allowing attackers who have compromised a pod in one namespace to access pods in other namespaces. This breaks namespace isolation, increasing the risk of data breaches, unauthorized access to sensitive workloads, and potential cluster-wide compromise. For organizations using fullchain as a CTF platform or for other purposes, this could lead to exposure of challenge data, user information, or internal infrastructure. The ability to move laterally without authentication or user interaction increases the attack surface and reduces the effort required for attackers to escalate privileges or disrupt services. Enterprises relying on Kubernetes multi-tenant environments or namespace segmentation are particularly at risk, as the vulnerability undermines fundamental security controls. Although no known exploits are reported in the wild yet, the high severity and ease of exploitation warrant urgent remediation to prevent potential attacks.

1. Upgrade fullchain to version 0.1.1 or later, where the NetworkPolicy misconfiguration is corrected. 2. As an immediate workaround before patching, identify and delete any NetworkPolicy resources in the target namespaces that have names prefixed with inter-ns-, which are responsible for the flawed inter-namespace traffic rules. 3. Review and audit all Kubernetes NetworkPolicies in the cluster to ensure they enforce strict namespace isolation and adhere to the principle of least privilege. 4. Implement network segmentation and monitoring to detect unusual pod-to-pod communications that could indicate lateral movement attempts. 5. Employ Kubernetes Role-Based Access Control (RBAC) to limit who can create or modify NetworkPolicies to prevent introduction of insecure policies. 6. Use runtime security tools to monitor pod behavior and network flows for anomalies. 7. Regularly update and patch Kubernetes components and related applications to incorporate security fixes promptly. 8. Conduct security training for DevOps and platform teams on secure NetworkPolicy design and cluster hardening best practices.