Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
github.com/ctfer-io/monitoring Vulnerable to Improper Access Control
GHSA-7x23-j8gv-v54x
CVE-2026-32720
Summary
### Impact
Due to a mis-written NetworkPolicy, a malicious actor can pivot from a component to any other namespace.
This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement.
### Patch
Removing the `inter-ns` NetworkPolicy pat...
What to do
- Update github.com ctfer-io to version 0.2.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | ctfer-io | <= 0.2.1 | 0.2.1 |
Original title
github.com/ctfer-io/monitoring Vulnerable to Improper Access Control
Original description
### Impact
Due to a mis-written NetworkPolicy, a malicious actor can pivot from a component to any other namespace.
This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement.
### Patch
Removing the `inter-ns` NetworkPolicy patches the vulnerability. If updates are not possible in production environments, we recommend to manually delete it and update as soon as possible.
### Workaround
Given your context, delete the failing network policy that should be prefixed by `inter-ns-` in the monitoring namespace.
You can use the following to delete all matching network policy. If unsure of the outcome, please do it manually.
```bash
for ns in $(kubectl get ns -o jsonpath='{.items[*].metadata.name}' | tr ' ' '\n' | grep '^monitoring-'); do
kubectl -n "$ns" get networkpolicy -o name \
| grep '^networkpolicy.networking.k8s.io/inter-ns-' \
| xargs -r kubectl -n "$ns" delete
done
```
Due to a mis-written NetworkPolicy, a malicious actor can pivot from a component to any other namespace.
This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement.
### Patch
Removing the `inter-ns` NetworkPolicy patches the vulnerability. If updates are not possible in production environments, we recommend to manually delete it and update as soon as possible.
### Workaround
Given your context, delete the failing network policy that should be prefixed by `inter-ns-` in the monitoring namespace.
You can use the following to delete all matching network policy. If unsure of the outcome, please do it manually.
```bash
for ns in $(kubectl get ns -o jsonpath='{.items[*].metadata.name}' | tr ' ' '\n' | grep '^monitoring-'); do
kubectl -n "$ns" get networkpolicy -o name \
| grep '^networkpolicy.networking.k8s.io/inter-ns-' \
| xargs -r kubectl -n "$ns" delete
done
```
ghsa CVSS4.0
7.1
Vulnerability type
CWE-284
Improper Access Control
- https://github.com/ctfer-io/monitoring/security/advisories/GHSA-7x23-j8gv-v54x
- https://github.com/ctfer-io/monitoring/pull/168
- https://github.com/ctfer-io/monitoring/commit/5404a11863b32b14ee5c62d1215352ab51...
- https://github.com/ctfer-io/monitoring/releases/tag/v0.2.1
- https://github.com/advisories/GHSA-7x23-j8gv-v54x
Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 13 Mar 2026