Description

Romeo gives the capability to reach high code coverage of Go ≥1.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.1, due to a mis-written NetworkPolicy, a malicious actor can pivot from the "hardened" namespace to any Pod out of it. This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. Removing the `inter-ns` NetworkPolicy patches the vulnerability in version 0.2.1. If updates are not possible in production environments, manually delete `inter-ns` and update as soon as possible. Given one's context, delete the failing network policy that should be prefixed by `inter-ns-` in the target namespace.

INFO

Published Date :

2026-03-18T22:23:09.952Z

Last Modified :

2026-03-20T18:11:32.934Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-32737 vulnerability.

Vendors Products
Ctfer-io
  • Romeo
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32737.

URL Resource
https://github.com/ctfer-io/romeo/commit/3bb5e9d9ce1199dfbb90fef8ad79ebdeb0bc5e78 cve-icon cve-icon
https://github.com/ctfer-io/romeo/security/advisories/GHSA-fgm3-q9r5-43v9 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact