Description
Romeo gives the capability to reach high code coverage of Go ≥1.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.1, due to a mis-written NetworkPolicy, a malicious actor can pivot from the "hardened" namespace to any Pod out of it. This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. Removing the `inter-ns` NetworkPolicy patches the vulnerability in version 0.2.1. If updates are not possible in production environments, manually delete `inter-ns` and update as soon as possible. Given one's context, delete the failing network policy that should be prefixed by `inter-ns-` in the target namespace.
Published: 2026-03-18
Score: 7.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized lateral movement within a Kubernetes cluster
Action: Immediate patch
AI Analysis

Impact

Romeo is a Go code coverage tool for GitHub Actions. A mis‑written NetworkPolicy in releases prior to 0.2.1 allows a malicious actor that can reach the hardened namespace to reach any pod outside that namespace. The vulnerability permits lateral movement within a Kubernetes cluster and undermines the default hardening expected when deploying Romeo. The weakness is a lack of proper authorization controls in the NetworkPolicy, classified under CWE‑284 (Access Control).

Affected Systems

The affected product is Romeo from ctfer‑io. Any installation of Romeo before version 0.2.1 is vulnerable. The misconfigured NetworkPolicy applies to all namespaces where Romeo is deployed. Versions 0.2.1 and later no longer contain the faulty inter‑ns policy.

Risk and Exploitability

The CVSS score of 7.9 indicates high severity. The EPSS score is below 1 %, suggesting that exploitation attempts are unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. However, if an attacker can compromise or inject traffic into the hardened namespace, the mis‑written policy can be exploited via normal Kubernetes networking channels, enabling a pivot to any pod in the cluster. In absence of monitoring or network segmentation, the risk is that compromised namespaces could be used as footholds for further attacks.

Generated by OpenCVE AI on March 25, 2026 at 03:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Romeo to version 0.2.1 or later.
  • If an upgrade is not possible, delete the inter‑ns NetworkPolicy from all namespaces.
  • Remove any remaining NetworkPolicy objects prefixed with inter‑ns- that were created by Romeo in target namespaces.
  • Plan to update Romeo to the latest release as soon as possible to eliminate the issue permanently.

Generated by OpenCVE AI on March 25, 2026 at 03:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fgm3-q9r5-43v9 Romeo's invalid NetworkPolicy enables a malicious actor to pivot into another namespace
History

Wed, 25 Mar 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:ctfer-io:romeo:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 10.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Fri, 20 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Ctfer-io
Ctfer-io romeo
Vendors & Products Ctfer-io
Ctfer-io romeo

Wed, 18 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Description Romeo gives the capability to reach high code coverage of Go ≥1.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.1, due to a mis-written NetworkPolicy, a malicious actor can pivot from the "hardened" namespace to any Pod out of it. This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. Removing the `inter-ns` NetworkPolicy patches the vulnerability in version 0.2.1. If updates are not possible in production environments, manually delete `inter-ns` and update as soon as possible. Given one's context, delete the failing network policy that should be prefixed by `inter-ns-` in the target namespace.
Title Romeo's invalid NetworkPolicy enables a malicious actor to pivot into another namespace
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 7.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Ctfer-io Romeo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T18:11:32.934Z

Reserved: 2026-03-13T15:02:00.627Z

Link: CVE-2026-32737

cve-icon Vulnrichment

Updated: 2026-03-20T17:09:42.472Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T23:17:30.050

Modified: 2026-03-25T01:09:23.533

Link: CVE-2026-32737

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:51:52Z

Weaknesses