Description
Fullchain is an umbrella project for deploying a ready-to-use CTF platform. In versions prior to 0.1.1, due to a mis-written NetworkPolicy, a malicious actor can pivot from a subverted application to any Pod out of the origin namespace. The flawed inter-ns NetworkPolicy breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. This issue has been fixed in version 0.1.1. To workaround, delete the failing network policy that should be prefixed by inter-ns- in the target namespace.
Published: 2026-03-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Namespace Lateral Movement
Action: Upgrade
AI Analysis

Impact

The vulnerability is caused by a mis‑written NetworkPolicy in Fullchain versions prior to 0.1.1. The policy incorrectly permits traffic between Pods in different namespaces, allowing a malicious actor who compromises a Pod in one namespace to reach any Pod in another namespace. This represents an access‑control flaw (CWE‑284) that can lead to lateral movement within the Kubernetes cluster, potentially exposing sensitive data or further compromising cluster resources.

Affected Systems

Affected product: ctfer‑io:fullchain. All releases older than 0.1.1 are vulnerable. No specific patch version list is provided other than the note that the issue was fixed in 0.1.1.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium‑to‑high severity. EPSS data is unavailable, so the current likelihood of exploitation is unknown, and the vulnerability is not listed in the CISA KEV catalog. Credentialed or successfully compromised application Pods can pivot across namespaces, so the attack vector is cluster‑internal and requires initial access to a compromised Pod. The impact is potential unauthorized data exposure and service disruption within the cluster.

Generated by OpenCVE AI on March 20, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fullchain to v0.1.1 or later.
  • Delete the inter‑ns‑ prefixed NetworkPolicy in the affected namespace to revert to the intended network isolation.

Generated by OpenCVE AI on March 20, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hxm7-9q36-c77f Fullchain's Invalid NetworkPolicy enables a malicious actor to pivot into another namespace
History

Fri, 20 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Ctfer-io
Ctfer-io fullchain
Vendors & Products Ctfer-io
Ctfer-io fullchain

Fri, 20 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description Fullchain is an umbrella project for deploying a ready-to-use CTF platform. In versions prior to 0.1.1, due to a mis-written NetworkPolicy, a malicious actor can pivot from a subverted application to any Pod out of the origin namespace. The flawed inter-ns NetworkPolicy breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. This issue has been fixed in version 0.1.1. To workaround, delete the failing network policy that should be prefixed by inter-ns- in the target namespace.
Title Fullchain's Invalid NetworkPolicy enables a malicious actor to pivot into another namespace
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Ctfer-io Fullchain
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T20:01:28.750Z

Reserved: 2026-03-13T18:53:03.534Z

Link: CVE-2026-32769

cve-icon Vulnrichment

Updated: 2026-03-20T20:01:25.279Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-20T01:15:55.780

Modified: 2026-03-20T13:37:50.737

Link: CVE-2026-32769

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T10:43:36Z

Weaknesses