CVE-2026-32737 | ctfer-io romeo up to 0.2.0 access control

VDB-351641 · CVE-2026-32737 · GCVE-0-2026-32737 CTFER-IO ROMEO UP TO 0.2.0 ACCESS CONTROL HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 7.0 $0-$5k 1.39+ Summaryinfo A vulnerability has been found in ctfer-io romeo up to 0.2.0 and classified as critical. This issue affects some unknown processing. The manipulation leads to access control. This vulnerability is documented as CVE-2026-32737. The attack can be initiated remotely. There is not any exploit available. The affected component should be upgraded. Detailsinfo A vulnerability, which was classified as critical, has been found in ctfer-io romeo up to 0.2.0. This issue affects an unknown part. The manipulation with an unknown input leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Impacted is confidentiality, integrity, and availability. The summary by CVE is: Romeo gives the capability to reach high code coverage of Go ≥1.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.1, due to a mis-written NetworkPolicy, a malicious actor can pivot from the "hardened" namespace to any Pod out of it. This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. Removing the `inter-ns` NetworkPolicy patches the vulnerability in version 0.2.1. If updates are not possible in production environments, manually delete `inter-ns` and update as soon as possible. Given one's context, delete the failing network policy that should be prefixed by `inter-ns-` in the target namespace. The advisory is shared at github.com. The identification of this vulnerability is CVE-2026-32737 since 03/13/2026. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1068 for this issue. Upgrading to version 0.2.1 eliminates this vulnerability. Productinfo Vendor ctfer-io Name romeo Version 0.1 0.2.0 Website Product: https://github.com/ctfer-io/romeo/ CPE 2.3info 🔒 🔒 CPE 2.2info 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA CVSS-B Score: 🔒 CNA CVSS-BT Score: 🔒 CNA Vector: 🔒 CVSSv3info VulDB Meta Base Score: 7.3 VulDB Meta Temp Score: 7.0 VulDB Base Score: 7.3 VulDB Temp Score: 7.0 VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Access control CWE: CWE-284 / CWE-266 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: romeo 0.2.1 Timelineinfo 03/13/2026 CVE reserved 03/18/2026 +5 days VulDB entry created 03/19/2026 +0 days Advisory disclosed 03/19/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: github.com Status: Confirmed CVE: CVE-2026-32737 (🔒) GCVE (CVE): GCVE-0-2026-32737 GCVE (VulDB): GCVE-100-351641 Entryinfo Created: 03/19/2026 00:12 Changes: 03/19/2026 00:12 (66) Complete: 🔍 Cache ID: 99:181:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸