CVE-2026-39429 | THREATINT

Description

kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3.

PUBLISHED Reserved 2026-04-07 | Published 2026-04-08 | Updated 2026-04-10 | Assigner GitHub_M

HIGH: 8.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Problem types

CWE-862: Missing Authorization

CWE-302: Authentication Bypass by Assumed-Immutable Data

Product status

>= 0.30.0, < 0.30.3

affected

< 0.29.3

affected

References

github.com/...ev/kcp/security/advisories/GHSA-3j3q-wp9x-585p

github.com/kcp-dev/kcp/releases/tag/v0.29.3

github.com/kcp-dev/kcp/releases/tag/v0.30.3

cve.org (CVE-2026-39429)

nvd.nist.gov (CVE-2026-39429)

Download JSON