Which versions of Kubernetes are affected by CVE-2026-32720?

A misconfigured network security policy in Kubernetes environments allows attackers to move laterally between isolated application namespaces, potentially gaining unauthorized access to sensitive…. A patch is available.

Is there a public PoC exploit available for CVE-2026-32720?

Yes, a public proof-of-concept exploit is available for CVE-2026-32720. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-32720?

Within 24 hours: Identify and document all Kubernetes clusters using the affected inter-ns NetworkPolicy; assess current namespace isolation and data sensitivity. Within 7 days: Apply the vendor patch to all production and non-production environments, or execute the provided kubectl command to manually delete the inter-ns NetworkPolicy from all monitoring namespaces. Within 30 days: Conduct a security audit of namespace policies across all clusters, verify lateral movement detection capabilities are enabled, and document any potential unauthorized cross-namespace access that may have occurred.

Kubernetes CVE-2026-32720

Q: What is the CVSS score of CVE-2026-32720?

CVE-2026-32720 has a CVSS 4.0 base score of 7.1 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

HIGH

Improper Access Control (CWE-284)

2026-03-13 https://github.com/ctfer-io/monitoring

GHSA-7x23-j8gv-v54x

Kubernetes Authentication Bypass Suse

7.1

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.1 HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

SUSE

HIGH

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 16, 2026 - 14:52 vuln.today

cvss_changed

CVSS changed

Apr 16, 2026 - 14:52 NVD

7.1 (HIGH)

PoC Detected

Mar 16, 2026 - 14:53 vuln.today

Public exploit code

Patch released

Mar 16, 2026 - 14:53 nvd

Patch available

Analysis Generated

Mar 13, 2026 - 21:01 vuln.today

CVE Published

Mar 13, 2026 - 20:58 nvd

HIGH

DescriptionGitHub Advisory

Impact

Due to a mis-written NetworkPolicy, a malicious actor can pivot from a component to any other namespace. This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement.

Patch

Removing the inter-ns NetworkPolicy patches the vulnerability. If updates are not possible in production environments, we recommend to manually delete it and update as soon as possible.

Workaround

Given your context, delete the failing network policy that should be prefixed by inter-ns- in the monitoring namespace. You can use the following to delete all matching network policy. If unsure of the outcome, please do it manually.

bash

for ns in $(kubectl get ns -o jsonpath='{.items[*].metadata.name}' | tr ' ' '\n' | grep '^monitoring-'); do
  kubectl -n "$ns" get networkpolicy -o name \
  | grep '^networkpolicy.networking.k8s.io/inter-ns-' \
  | xargs -r kubectl -n "$ns" delete
done

AnalysisAI

A misconfigured NetworkPolicy in Kubernetes deployments allows attackers to perform unauthorized lateral movement between namespaces, breaking namespace isolation security boundaries. This vulnerability affects Kubernetes environments with improperly configured inter-namespace NetworkPolicies, specifically those with 'inter-ns' prefixed policies in monitoring namespaces. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Compromise component in one namespace

Exploit

Exploit misconfigured inter-ns NetworkPolicy

Execution

Pivot to adjacent namespace

Impact

Access resources across namespaces

Access

Compromise component in one namespace

Exploit

Exploit misconfigured inter-ns NetworkPolicy

Execution

Pivot to adjacent namespace

Impact

Access resources across namespaces

Vulnerability AssessmentAI

Exploitation	Kubernetes cluster with misconfigured NetworkPolicy prefixed by 'inter-ns-' in monitoring namespace allowing cross-namespace traffic. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	While no CVSS score or EPSS data is available for this vulnerability, the real-world risk appears significant based on the impact description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who gains initial access to a pod in one namespace could exploit this misconfigured NetworkPolicy to access services and data in other namespaces that should be isolated. For example, compromising a frontend application pod could allow the attacker to pivot and access backend databases or administrative services in different namespaces. …
Remediation	Remove all NetworkPolicies prefixed with 'inter-ns' from monitoring namespaces immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and document all Kubernetes clusters using the affected inter-ns NetworkPolicy; assess current namespace isolation and data sensitivity. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-50563 CRITICAL Act Now

9.9 Jun 10

Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.24.0 allows a tenant with Fu

CVE-2026-50566 CRITICAL Act Now

9.9 Jun 10

Privilege escalation in Fission prior to version 1.24.0 allows a tenant holding environments.fission.io create/update RB

CVE-2026-50545 CRITICAL Act Now

9.9 Jun 10

Privilege escalation in Fission prior to 1.24.0 allows an authenticated user with permission to create or modify Environ

CVE-2026-50564 CRITICAL Act Now

9.9 Jun 10

Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.24.0 allows a tenant with En

CVE-2026-49824 HIGH This Week

8.5 Jun 10

Cross-namespace access control bypass in Fission (Kubernetes-native serverless framework) prior to 1.24.0 allows an auth

Vendor StatusVendor

SUSE

Severity: High

Product	Status
openSUSE Leap 15.6	Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5	Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6	Fixed
openSUSE Leap 15.5	Fixed

CVE-2026-32720 vulnerability details – vuln.today

Back

Kubernetes CVE-2026-32720

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

Impact

Patch

Workaround

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code