{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32737", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T15:02:00.627Z", "datePublished": "2026-03-18T22:23:09.952Z", "dateUpdated": "2026-03-20T18:11:32.934Z"}, "containers": {"cna": {"title": "Romeo's invalid NetworkPolicy enables a malicious actor to pivot into another namespace", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 7.9, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/ctfer-io/romeo/security/advisories/GHSA-fgm3-q9r5-43v9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ctfer-io/romeo/security/advisories/GHSA-fgm3-q9r5-43v9"}, {"name": "https://github.com/ctfer-io/romeo/commit/3bb5e9d9ce1199dfbb90fef8ad79ebdeb0bc5e78", "tags": ["x_refsource_MISC"], "url": "https://github.com/ctfer-io/romeo/commit/3bb5e9d9ce1199dfbb90fef8ad79ebdeb0bc5e78"}], "affected": [{"vendor": "ctfer-io", "product": "romeo", "versions": [{"version": "< 0.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T22:23:09.952Z"}, "descriptions": [{"lang": "en", "value": "Romeo gives the capability to reach high code coverage of Go \u22651.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.1, due to a mis-written NetworkPolicy, a malicious actor can pivot from the \"hardened\" namespace to any Pod out of it. This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. Removing the `inter-ns` NetworkPolicy patches the vulnerability in version 0.2.1. If updates are not possible in production environments, manually delete `inter-ns` and update as soon as possible. Given one's context, delete the failing network policy that should be prefixed by `inter-ns-` in the target namespace."}], "source": {"advisory": "GHSA-fgm3-q9r5-43v9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T17:09:36.554290Z", "id": "CVE-2026-32737", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T18:11:32.934Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32737", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T17:09:36.554290Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T17:09:42.472Z"}}], "cna": {"title": "Romeo's invalid NetworkPolicy enables a malicious actor to pivot into another namespace", "source": {"advisory": "GHSA-fgm3-q9r5-43v9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.9, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "ctfer-io", "product": "romeo", "versions": [{"status": "affected", "version": "< 0.2.1"}]}], "references": [{"url": "https://github.com/ctfer-io/romeo/security/advisories/GHSA-fgm3-q9r5-43v9", "name": "https://github.com/ctfer-io/romeo/security/advisories/GHSA-fgm3-q9r5-43v9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ctfer-io/romeo/commit/3bb5e9d9ce1199dfbb90fef8ad79ebdeb0bc5e78", "name": "https://github.com/ctfer-io/romeo/commit/3bb5e9d9ce1199dfbb90fef8ad79ebdeb0bc5e78", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Romeo gives the capability to reach high code coverage of Go \u22651.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.1, due to a mis-written NetworkPolicy, a malicious actor can pivot from the \"hardened\" namespace to any Pod out of it. This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. Removing the `inter-ns` NetworkPolicy patches the vulnerability in version 0.2.1. If updates are not possible in production environments, manually delete `inter-ns` and update as soon as possible. Given one's context, delete the failing network policy that should be prefixed by `inter-ns-` in the target namespace."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T22:23:09.952Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32737", "state": "PUBLISHED", "dateUpdated": "2026-03-20T18:11:32.934Z", "dateReserved": "2026-03-13T15:02:00.627Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-18T22:23:09.952Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ctfer-io:romeo:*:*:*:*:*:*:*:*", "matchCriteriaId": "F0F3969C-FB2C-4213-B227-E8C8F14CDA8F", "versionEndExcluding": "0.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Romeo gives the capability to reach high code coverage of Go \u22651.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.1, due to a mis-written NetworkPolicy, a malicious actor can pivot from the \"hardened\" namespace to any Pod out of it. This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. Removing the `inter-ns` NetworkPolicy patches the vulnerability in version 0.2.1. If updates are not possible in production environments, manually delete `inter-ns` and update as soon as possible. Given one's context, delete the failing network policy that should be prefixed by `inter-ns-` in the target namespace."}, {"lang": "es", "value": "Romeo proporciona la capacidad de alcanzar una alta cobertura de c\u00f3digo de aplicaciones Go ?1.20 al ayudar a medir la cobertura de c\u00f3digo para pruebas funcionales y de integraci\u00f3n dentro de GitHub Actions. Antes de la versi\u00f3n 0.2.1, debido a una NetworkPolicy mal escrita, un actor malicioso puede pivotar desde el espacio de nombres 'hardened' a cualquier Pod fuera de este. Esto rompe la propiedad de seguridad por defecto esperada como parte del programa de despliegue, lo que lleva a un posible movimiento lateral. Eliminar la NetworkPolicy 'inter-ns' corrige la vulnerabilidad en la versi\u00f3n 0.2.1. Si las actualizaciones no son posibles en entornos de producci\u00f3n, elimine manualmente 'inter-ns' y actualice lo antes posible. Dado el contexto de cada uno, elimine la pol\u00edtica de red fallida que deber\u00eda tener el prefijo 'inter-ns-' en el espacio de nombres de destino."}], "id": "CVE-2026-32737", "lastModified": "2026-03-25T01:09:23.533", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.9, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-18T23:17:30.050", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ctfer-io/romeo/commit/3bb5e9d9ce1199dfbb90fef8ad79ebdeb0bc5e78"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/ctfer-io/romeo/security/advisories/GHSA-fgm3-q9r5-43v9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.2.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "romeo", "source": "cna", "vendor": "ctfer-io"}, "product": "romeo", "vendor": "ctfer-io"}], "analysis": {"en": {"generated_at": "2026-03-25T03:04:41.352210+00:00", "value": {"mitigation_remediation": ["Upgrade Romeo to version 0.2.1 or later.", "If an upgrade is not possible, delete the inter\u2011ns NetworkPolicy from all namespaces.", "Remove any remaining NetworkPolicy objects prefixed with inter\u2011ns- that were created by Romeo in target namespaces.", "Plan to update Romeo to the latest release as soon as possible to eliminate the issue permanently."], "summary": {"action": "Immediate patch", "impact": "Unauthorized lateral movement within a Kubernetes cluster"}, "threat_synthesis": {"affected_systems": "The affected product is Romeo from ctfer\u2011io. Any installation of Romeo before version 0.2.1 is vulnerable. The misconfigured NetworkPolicy applies to all namespaces where Romeo is deployed. Versions 0.2.1 and later no longer contain the faulty inter\u2011ns policy.", "description_and_impact": "Romeo is a Go code coverage tool for GitHub Actions. A mis\u2011written NetworkPolicy in releases prior to 0.2.1 allows a malicious actor that can reach the hardened namespace to reach any pod outside that namespace. The vulnerability permits lateral movement within a Kubernetes cluster and undermines the default hardening expected when deploying Romeo. The weakness is a lack of proper authorization controls in the NetworkPolicy, classified under CWE\u2011284 (Access Control).", "risk_and_exploitability": "The CVSS score of 7.9 indicates high severity. The EPSS score is below 1\u202f%, suggesting that exploitation attempts are unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. However, if an attacker can compromise or inject traffic into the hardened namespace, the mis\u2011written policy can be exploited via normal Kubernetes networking channels, enabling a pivot to any pod in the cluster. In absence of monitoring or network segmentation, the risk is that compromised namespaces could be used as footholds for further attacks."}}}}, "created": "2026-03-19T08:55:08.978862+00:00", "updated": "2026-03-25T11:51:52.291339+00:00", "vendors": ["ctfer-io", "ctfer-io$PRODUCT$romeo"]}