CVE-2026-39429

kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/kcp-dev/kcp/releases/tag/v0.29.3	Release Notes
https://github.com/kcp-dev/kcp/releases/tag/v0.30.3	Release Notes
https://github.com/kcp-dev/kcp/security/advisories/GHSA-3j3q-wp9x-585p	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:kcp:kcp::::::::
	cpe:2.3:a:kcp:kcp::::::::

History

15 Apr 2026, 19:15

Type	Values Removed	Values Added
First Time		Kcp Kcp kcp
CPE		cpe:2.3:a:kcp:kcp::::::::
References	~~() https://github.com/kcp-dev/kcp/releases/tag/v0.29.3 -~~	() https://github.com/kcp-dev/kcp/releases/tag/v0.29.3 - Release Notes
References	~~() https://github.com/kcp-dev/kcp/releases/tag/v0.30.3 -~~	() https://github.com/kcp-dev/kcp/releases/tag/v0.30.3 - Release Notes
References	~~() https://github.com/kcp-dev/kcp/security/advisories/GHSA-3j3q-wp9x-585p -~~	() https://github.com/kcp-dev/kcp/security/advisories/GHSA-3j3q-wp9x-585p - Exploit, Mitigation, Vendor Advisory

08 Apr 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-08 21:16

Updated : 2026-04-15 19:15

NVD link : CVE-2026-39429

Mitre link : CVE-2026-39429

CVE.ORG link : CVE-2026-39429

JSON object : View

Products Affected

kcp

kcp

CWE

CWE-302

Authentication Bypass by Assumed-Immutable Data

CWE-862

Missing Authorization

{"id": "CVE-2026-39429", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2026-04-08T21:16:59.313", "references": [{"url": "https://github.com/kcp-dev/kcp/releases/tag/v0.29.3", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/kcp-dev/kcp/releases/tag/v0.30.3", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/kcp-dev/kcp/security/advisories/GHSA-3j3q-wp9x-585p", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-302"}, {"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3."}], "lastModified": "2026-04-15T19:15:39.097", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:kcp:kcp:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DFC8494E-4C32-4DC4-9093-197071C3FE3A", "versionEndExcluding": "0.29.3"}, {"criteria": "cpe:2.3:a:kcp:kcp:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0237B688-7AC2-4DDB-A5E2-D50D6591CF66", "versionEndExcluding": "0.30.3", "versionStartIncluding": "0.30.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}