Description
kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3.
Published: 2026-04-08
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted Access to Cache Server
Action: Immediate Patch
AI Analysis

Impact

The cache server in kcp, before versions 0.29.3 and 0.30.3, can be accessed directly from the root shard without any authentication or authorization checks. This flaw allows an attacker who can reach the root shard to read from or write to the cache, effectively compromising data confidentiality and integrity. Exploitation requires only network connectivity to the root shard, with no additional privileges needed.

Affected Systems

kcp, a Kubernetes‑like control plane developed by kcp‑dev, is affected. All releases prior to 0.29.3 and prior to 0.30.3 expose the vulnerability. This includes kcp 0.29.x up to 0.29.2 and kcp 0.30.x up to 0.30.2.

Risk and Exploitability

The vulnerability carries a CVSS base score of 8.2, categorizing it as high severity. The exploit probability is not quantified, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is network‑based, requiring access to the root shard. Because no authentication is enforced, any party that can contact the root shard can immediately exploit the flaw, making it a significant risk for environments that expose kcp to external networks.

Generated by OpenCVE AI on April 8, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade kcp to version 0.29.3 or 0.30.3.

Generated by OpenCVE AI on April 8, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3j3q-wp9x-585p kcp's cache server is accessible without authentication or authorization checks
History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Kcp-dev
Kcp-dev kcp
Vendors & Products Kcp-dev
Kcp-dev kcp

Wed, 08 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3.
Title kcp's cache server is accessible without authentication or authorization checks
Weaknesses CWE-302
CWE-862
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Kcp-dev Kcp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T20:16:04.015Z

Reserved: 2026-04-07T00:23:30.596Z

Link: CVE-2026-39429

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T21:16:59.313

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-39429

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:23Z

Weaknesses