CVE-2026-39429

Summary

kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3.

Affected Software

VendorProductVersion RangeStatus
kcp-devkcp>= 0.30.0, < 0.30.3affected
kcp-devkcp< 0.29.3affected

Weaknesses

  • CWE-862: CWE-862: Missing Authorization
  • CWE-302: CWE-302: Authentication Bypass by Assumed-Immutable Data

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References