CVE-2026-39429

kcp's cache server is accessible without authentication or authorization checks

CVSS 8.2 HIGHEPSS 0.4%CWE-302 CWE-862

kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Produtos afetados

kcp-dev · kcp

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/kcp-dev/kcp/releases/tag/v0.29.3 https://github.com/kcp-dev/kcp/releases/tag/v0.30.3 https://github.com/kcp-dev/kcp/security/advisories/GHSA-3j3q-wp9x-585p