CVE-2026-39429
Awaiting Analysis Awaiting Analysis - Queue
Unauthorized Access in kcp Cache Server via Unauthenticated Root Shard

Publication date: 2026-04-08

Last updated on: 2026-04-15

Assigner: GitHub, Inc.

Description
kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39429
EUVD
EUVD-2026-20607
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
kcp kcp to 0.29.3 (exc)
kcp kcp From 0.30.0 (inc) to 0.30.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-302 The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

Because the cache server lacks authentication and authorization, an attacker with access to the root shard can read sensitive data stored in the cache and modify it. This can lead to unauthorized data exposure and potential data integrity issues, compromising the security of workloads managed by kcp.

Mitigation Strategies

To mitigate this vulnerability, upgrade kcp to version 0.30.3 or 0.29.3 or later, where the cache server is no longer directly exposed by the root shard without authentication or authorization.

Executive Summary

The vulnerability exists in kcp, a Kubernetes-like control plane. Prior to versions 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard without any authentication or authorization mechanisms. This means that anyone who can access the root shard can read from and write to the cache server without restrictions.

Compliance Impact

This vulnerability allows unauthorized read and write access to the cache server due to lack of authentication and authorization. Such unauthorized access to potentially sensitive data could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and health information.

However, the provided information does not explicitly state the impact on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39429. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart