CVE-2026-32768

9.9 CRITICAL
Published: March 20, 2026 Modified: April 08, 2026
View on NVD

Description

Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. In versions prior to 0.6.5, due to a miswritten NetworkPolicy, a malicious actor can pivot from an instance to any Pod out of the origin namespace. This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. In the specific case of sdk/kubernetes.Kompose it does not isolate the instances. This issue has been fixed in version 0.6.5.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/ctfer-io/chall-manager/commit/dc5ef27dfed2befef7f506ab8ca14d062b0d79c5
Source: security-advisories@github.com
Patch
https://github.com/ctfer-io/chall-manager/releases/tag/v0.6.5
Source: security-advisories@github.com
Release Notes
https://github.com/ctfer-io/chall-manager/security/advisories/GHSA-mw24-f3xh-j3qv
Source: security-advisories@github.com
Mitigation Vendor Advisory

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
9.9 / 10.0
EPSS (Exploit Probability)
0.0%
15th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-284

Affected Vendors

ctfer-io

Related CVEs

CVE-2026-40688 7.2
CVE-2026-39399 9.6
CVE-2026-39387 7.2
CVE-2026-35589 8.0
CVE-2026-35034 6.5