Vulnerability Description
Romeo gives the capability to reach high code coverage of Go ≥1.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.1, due to a mis-written NetworkPolicy, a malicious actor can pivot from the "hardened" namespace to any Pod out of it. This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. Removing the `inter-ns` NetworkPolicy patches the vulnerability in version 0.2.1. If updates are not possible in production environments, manually delete `inter-ns` and update as soon as possible. Given one's context, delete the failing network policy that should be prefixed by `inter-ns-` in the target namespace.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ctfer-Io | Romeo | < 0.2.1 |
Related Weaknesses (CWE)
References
- https://github.com/ctfer-io/romeo/commit/3bb5e9d9ce1199dfbb90fef8ad79ebdeb0bc5e7Patch
- https://github.com/ctfer-io/romeo/security/advisories/GHSA-fgm3-q9r5-43v9Vendor Advisory
FAQ
What is CVE-2026-32737?
CVE-2026-32737 is a vulnerability with a CVSS score of 10.0 (CRITICAL). Romeo gives the capability to reach high code coverage of Go ≥1.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.1, due to a...
How severe is CVE-2026-32737?
CVE-2026-32737 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-32737?
Check the references section above for vendor advisories and patch information. Affected products include: Ctfer-Io Romeo.