cbcvebase.
CVE-2026-32771
published 2026-03-20

CVE-2026-32771: The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals (i.e. logs, metrics and distributed traces). In…

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.66%
46.7th percentile
The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals (i.e. logs, metrics and distributed traces). In versions prior to 0.2.2, the sanitizeArchivePath function in pkg/extract/extract.go (lines 248–254) is vulnerable to Path Traversal due to a missing trailing path separator in the strings.HasPrefix check. The extractor allows arbitrary file writes (e.g., overwriting shell configs, SSH keys, kubeconfig, or crontabs), enabling RCE and persistent backdoors. The attack surface is further amplified by the default ReadWriteMany PVC access mode, which lets any pod in the cluster inject a malicious payload. This issue has been fixed in version 0.2.2.

Affected

3 ranges
VendorProductVersion rangeFixed in
ctfer-iomonitoring< 0.2.20.2.2
ctfermonitoring< 0.2.20.2.2
github.comctfer-io_monitoring>= 0 < 0.2.20.2.2

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerable function is `sanitizeArchivePath` in `pkg/extract/extract.go` (lines 248–254); monitor for path traversal sequences in archive extraction paths processed by this function
  • Monitor for unexpected writes to sensitive files (shell configs, SSH keys, kubeconfig, crontabs) originating from the CTFer.io Monitoring component's extraction process, which may indicate exploitation
  • In Kubernetes environments, alert on cross-pod file writes to shared PVCs (ReadWriteMany access mode) from pods associated with github.com/ctfer-io/monitoring versions prior to 0.2.2
  • ·Default ReadWriteMany PVC access mode in the CTFer.io Monitoring deployment broadens the blast radius; any pod in the cluster can potentially inject a malicious payload via the shared volume

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.