Description
Fullchain is an umbrella project for deploying a ready-to-use CTF platform. In versions prior to 0.1.1, due to a mis-written NetworkPolicy, a malicious actor can pivot from a subverted application to any Pod out of the origin namespace. The flawed inter-ns NetworkPolicy breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. This issue has been fixed in version 0.1.1. To workaround, delete the failing network policy that should be prefixed by inter-ns- in the target namespace.
Published: 2026-03-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Namespace Lateral Movement
Action: Upgrade
AI Analysis

Impact

The vulnerability stems from a mis‑written NetworkPolicy in Fullchain versions before 0.1.1. That policy incorrectly permits traffic between Pods in different namespaces, effectively granting an attacker who compromises one Pod the ability to access any Pod elsewhere in the cluster. This flaw is an authorization failure (CWE‑284) that facilitates lateral movement and undermines the intended namespace isolation, potentially exposing sensitive data or allowing further compromise of cluster resources.

Affected Systems

The affected product is Fullchain, produced by ctfer. All releases older than 0.1.1 are vulnerable. The fix is delivered in Fullchain 0.1.1 and later.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium‑to‑high severity. The EPSS score of less than 1 % suggests a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an initial foothold within a namespace‑restricted application Pod; once inside, the attacker can pivot across namespaces because the faulty policy permits inter‑namespace communication.

Generated by OpenCVE AI on April 18, 2026 at 09:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fullchain to version 0.1.1 or later, which corrects the NetworkPolicy documentation and enforcement.
  • Delete the mis‑written NetworkPolicy prefixed by inter‑ns‑ in each affected namespace to restore the intended isolation until a patch is applied.
  • Verify that the deployment’s default deny inbound policy is active and that no other NetworkPolicies allow unintended namespace communication.
  • Monitor inter‑namespace traffic for abnormal patterns that could indicate an attempted lateral movement.

Generated by OpenCVE AI on April 18, 2026 at 09:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hxm7-9q36-c77f Fullchain's Invalid NetworkPolicy enables a malicious actor to pivot into another namespace
History

Thu, 16 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Ctfer
Ctfer fullchain
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:ctfer:fullchain:*:*:*:*:*:go:*:*
Vendors & Products Ctfer
Ctfer fullchain
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 20 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Ctfer-io
Ctfer-io fullchain
Vendors & Products Ctfer-io
Ctfer-io fullchain

Fri, 20 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description Fullchain is an umbrella project for deploying a ready-to-use CTF platform. In versions prior to 0.1.1, due to a mis-written NetworkPolicy, a malicious actor can pivot from a subverted application to any Pod out of the origin namespace. The flawed inter-ns NetworkPolicy breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. This issue has been fixed in version 0.1.1. To workaround, delete the failing network policy that should be prefixed by inter-ns- in the target namespace.
Title Fullchain's Invalid NetworkPolicy enables a malicious actor to pivot into another namespace
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Ctfer Fullchain
Ctfer-io Fullchain
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T20:01:28.750Z

Reserved: 2026-03-13T18:53:03.534Z

Link: CVE-2026-32769

cve-icon Vulnrichment

Updated: 2026-03-20T20:01:25.279Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T01:15:55.780

Modified: 2026-04-16T13:36:01.170

Link: CVE-2026-32769

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:45:25Z

Weaknesses