CVE-2026-39429

HIGH SEVERITY

CVSS Score & Metrics

Base Score

8.2 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N                                    

Vulnerability Description

kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3.

Vulnerability Details

Published Date

April 08, 2026

Last Modified

April 15, 2026

CWE ID

CWE-302

Source

GitHub

Vendor

Product

github.com/kcp-dev/kcp

External References

https://github.com/kcp-dev/kcp/security/advisories/GHSA-3j3q-wp9x-585p
https://github.com/kcp-dev/kcp/releases/tag/v0.29.3
https://github.com/kcp-dev/kcp/releases/tag/v0.30.3
https://github.com/advisories/GHSA-3j3q-wp9x-585p

CVE-2026-39429

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment