Critical severity9.9NVD Advisory· Published Mar 20, 2026· Updated Apr 8, 2026
CVE-2026-32768
CVE-2026-32768
Description
Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. In versions prior to 0.6.5, due to a miswritten NetworkPolicy, a malicious actor can pivot from an instance to any Pod out of the origin namespace. This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. In the specific case of sdk/kubernetes.Kompose it does not isolate the instances. This issue has been fixed in version 0.6.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/ctfer-io/chall-manager/deployGo | < 0.6.5 | 0.6.5 |
github.com/ctfer-io/chall-manager/sdkGo | < 0.6.5 | 0.6.5 |
Affected products
4- ghsa-coords3 versionspkg:golang/github.com/ctfer-io/chall-manager/deploypkg:golang/github.com/ctfer-io/chall-manager/sdkpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 0.6.5+ 2 more
- (no CPE)range: < 0.6.5
- (no CPE)range: < 0.6.5
- (no CPE)range: < 0.0.20260326T203309-150000.1.155.2
Patches
Vulnerability mechanics
References
5- github.com/ctfer-io/chall-manager/commit/dc5ef27dfed2befef7f506ab8ca14d062b0d79c5nvdPatchWEB
- github.com/advisories/GHSA-mw24-f3xh-j3qvghsaADVISORY
- github.com/ctfer-io/chall-manager/security/advisories/GHSA-mw24-f3xh-j3qvnvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-32768ghsaADVISORY
- github.com/ctfer-io/chall-manager/releases/tag/v0.6.5nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.