CVE-2026-32768

Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. In versions prior to 0.6.5, due to a miswritten NetworkPolicy, a malicious actor can pivot from an instance to any Pod out of the origin namespace. This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. In the specific case of sdk/kubernetes.Kompose it does not isolate the instances. This issue has been fixed in version 0.6.5.

CVSS v3 9.9 CRITICAL

9.9^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/ctfer-io/chall-manager/commit/dc5ef27dfed2befef7f506ab8ca14d062b0d79c5	Patch
https://github.com/ctfer-io/chall-manager/releases/tag/v0.6.5	Release Notes
https://github.com/ctfer-io/chall-manager/security/advisories/GHSA-mw24-f3xh-j3qv	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ctfer-io:chall-manager:*:*:*:*:*:*:*:*

History

08 Apr 2026, 20:49

Type	Values Removed	Values Added
References	~~() https://github.com/ctfer-io/chall-manager/commit/dc5ef27dfed2befef7f506ab8ca14d062b0d79c5 -~~	() https://github.com/ctfer-io/chall-manager/commit/dc5ef27dfed2befef7f506ab8ca14d062b0d79c5 - Patch
References	~~() https://github.com/ctfer-io/chall-manager/releases/tag/v0.6.5 -~~	() https://github.com/ctfer-io/chall-manager/releases/tag/v0.6.5 - Release Notes
References	~~() https://github.com/ctfer-io/chall-manager/security/advisories/GHSA-mw24-f3xh-j3qv -~~	() https://github.com/ctfer-io/chall-manager/security/advisories/GHSA-mw24-f3xh-j3qv - Mitigation, Vendor Advisory
CPE		cpe:2.3:a:ctfer-io:chall-manager::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.9
First Time		Ctfer-io Ctfer-io chall-manager
Summary		(es) Chall-Manager es un sistema agnóstico de plataforma capaz de iniciar Desafíos bajo demanda de un jugador. En versiones anteriores a la 0.6.5, debido a una NetworkPolicy mal escrita, un actor malicioso puede pivotar desde una instancia a cualquier Pod fuera del espacio de nombres de origen. Esto rompe la propiedad de seguridad por defecto esperada como parte del programa de despliegue, lo que lleva a un movimiento lateral potencial. En el caso específico de SDK/kubernetes.Kompose, no aísla las instancias. Este problema ha sido solucionado en la versión 0.6.5.

20 Mar 2026, 06:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-20 06:16

Updated : 2026-04-08 20:49

NVD link : CVE-2026-32768

Mitre link : CVE-2026-32768

CVE.ORG link : CVE-2026-32768

JSON object : View

Products Affected

ctfer-io

chall-manager

CWE

CWE-284

Improper Access Control

9.9 /10