{"id":"CVE-2026-32737","summary":"Romeo's invalid NetworkPolicy enables a malicious actor to pivot into another namespace","details":"Romeo gives the capability to reach high code coverage of Go ≥1.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.1, due to a mis-written NetworkPolicy, a malicious actor can pivot from the \"hardened\" namespace to any Pod out of it. This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. Removing the `inter-ns` NetworkPolicy patches the vulnerability in version 0.2.1. If updates are not possible in production environments, manually delete `inter-ns` and update as soon as possible. Given one's context, delete the failing network policy that should be prefixed by `inter-ns-` in the target namespace.","aliases":["GHSA-fgm3-q9r5-43v9","GO-2026-4714"],"modified":"2026-04-02T13:26:13.452421Z","published":"2026-03-18T22:23:09.952Z","related":["SUSE-SU-2026:1135-1"],"database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-284"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32737.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32737.json"},{"type":"ADVISORY","url":"https://github.com/ctfer-io/romeo/security/advisories/GHSA-fgm3-q9r5-43v9"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32737"},{"type":"FIX","url":"https://github.com/ctfer-io/romeo/commit/3bb5e9d9ce1199dfbb90fef8ad79ebdeb0bc5e78"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ctfer-io/romeo","events":[{"introduced":"0"},{"fixed":"3bb5e9d9ce1199dfbb90fef8ad79ebdeb0bc5e78"}]}],"versions":["environment/v0.1.0","environment/v0.1.1","environment/v0.1.2","environment/v0.1.3","environment/v0.1.4","environment/v0.1.5","environment/v0.1.6","environment/v0.1.7","environment/v0.1.8","environment/v0.1.9","environment/v0.2.0","install/v0.1.0","install/v0.1.1","install/v0.1.2","install/v0.1.3","install/v0.1.4","install/v0.1.5","install/v0.1.6","install/v0.1.7","install/v0.1.8","install/v0.1.9","install/v0.2.0","v0.1.0","v0.1.1","v0.1.2","v0.1.3","v0.1.4","v0.1.5","v0.1.6","v0.1.7","v0.1.8","v0.1.9","v0.2.0","webserver/v0.1.0","webserver/v0.1.1","webserver/v0.1.2","webserver/v0.1.3","webserver/v0.1.4","webserver/v0.1.5","webserver/v0.1.6","webserver/v0.1.7","webserver/v0.1.8","webserver/v0.1.9","webserver/v0.2.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32737.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H"}]}