cbcvebase.
CVE-2026-39429
published 2026-04-08

CVE-2026-39429: kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server…

PriorityP262critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.44%
34.8th percentile
kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3.

Affected

6 ranges
VendorProductVersion rangeFixed in
github.comkcp-dev_kcp>= 0 < 0.29.30.29.3
github.comkcp-dev_kcp>= 0.30.0 < 0.30.30.30.3
kcp-devkcp< 0.29.30.29.3
kcp-devkcp
kcpkcp< 0.29.30.29.3
kcpkcp>= 0.30.0 < 0.30.30.30.3

Detection & IOCsextracted from sources · hover to see the quote

  • The kcp cache server is directly exposed by the root shard with no authentication or authorization; monitor for unauthenticated read/write requests to the cache server endpoint on the root shard
  • Flag vulnerable versions of github.com/kcp-dev/kcp prior to 0.30.3 and 0.29.3 in software inventory or SCA tooling
  • ·The cache server on the kcp root shard requires authentication and authorization controls; deployments exposing the root shard to untrusted networks without these controls are fully vulnerable to unauthenticated read/write access
  • ·Fixed versions are 0.30.3 and 0.29.3 for github.com/kcp-dev/kcp; any earlier version of either branch is affected
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.