CVE-2026-39429 PUBLISHED

kcp's cache server is accessible without authentication or authorization checks

Assigner: GitHub_M
Reserved: 07.04.2026 Published: 08.04.2026 Updated: 08.04.2026

kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CVSS Score: 8.2

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	kcp-dev
Product	kcp
Versions	Version >= 0.30.0, < 0.30.3 is affected Version < 0.29.3 is affected

References

Problem Types

CWE-862: Missing Authorization CWE
CWE-302: Authentication Bypass by Assumed-Immutable Data CWE