CVE-2026-39429
published 2026-04-08CVE-2026-39429: kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server…
PriorityP262critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.44%
34.8th percentile
kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | kcp-dev_kcp | >= 0 < 0.29.3 | 0.29.3 |
| github.com | kcp-dev_kcp | >= 0.30.0 < 0.30.3 | 0.30.3 |
| kcp-dev | kcp | < 0.29.3 | 0.29.3 |
| kcp-dev | kcp | — | — |
| kcp | kcp | < 0.29.3 | 0.29.3 |
| kcp | kcp | >= 0.30.0 < 0.30.3 | 0.30.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →The kcp cache server is directly exposed by the root shard with no authentication or authorization; monitor for unauthenticated read/write requests to the cache server endpoint on the root shard ↗
- →Flag vulnerable versions of github.com/kcp-dev/kcp prior to 0.30.3 and 0.29.3 in software inventory or SCA tooling ↗
- ·The cache server on the kcp root shard requires authentication and authorization controls; deployments exposing the root shard to untrusted networks without these controls are fully vulnerable to unauthenticated read/write access ↗
- ·Fixed versions are 0.30.3 and 0.29.3 for github.com/kcp-dev/kcp; any earlier version of either branch is affected ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
kcp's cache server is accessible without authentication or authorization checks
ghsa·2026-04-08
CVE-2026-39429 [HIGH] CWE-302 kcp's cache server is accessible without authentication or authorization checks
kcp's cache server is accessible without authentication or authorization checks
### Summary
The cache server is directly exposed by the root shard and has no authentication or authorization in place.
This allows anyone who can access the root shard to read and write to the cache server.
### Details
The cache server is routed in the pre-mux chain in the shard code.
The preHandlerChainMux is handled before any authn/authz in the cache server:
https://github.com/kcp-dev/kcp/blob/aaf93d59cbcd0cefb70d94bd8959ce390547c4a2/pkg/server/config.go#L514-L518
This results in the cache server being proxied before any authn/authz in the handler chain takes place.
### Attack Vectors
#### 1. Unauthenticated Read Access (Primary)
An attacker can read all replicated resources from the cache without an
OSV
kcp's cache server is accessible without authentication or authorization checks
osv·2026-04-08
CVE-2026-39429 [HIGH] kcp's cache server is accessible without authentication or authorization checks
kcp's cache server is accessible without authentication or authorization checks
### Summary
The cache server is directly exposed by the root shard and has no authentication or authorization in place.
This allows anyone who can access the root shard to read and write to the cache server.
### Details
The cache server is routed in the pre-mux chain in the shard code.
The preHandlerChainMux is handled before any authn/authz in the cache server:
https://github.com/kcp-dev/kcp/blob/aaf93d59cbcd0cefb70d94bd8959ce390547c4a2/pkg/server/config.go#L514-L518
This results in the cache server being proxied before any authn/authz in the handler chain takes place.
### Attack Vectors
#### 1. Unauthenticated Read Access (Primary)
An attacker can read all replicated resources from the cache without an
No detection rules found.
No public exploits indexed.
2026-04-08
Published