CVE-2026-39429
Awaiting Analysis Awaiting Analysis - Queue
Unauthorized Access in kcp Cache Server via Unauthenticated Root Shard

Publication date: 2026-04-08

Last updated on: 2026-04-15

Assigner: GitHub, Inc.

Description
kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-15
Generated
2026-05-07
AI Q&A
2026-04-09
EPSS Evaluated
2026-05-05
NVD
CVE-2026-39429
EUVD
EUVD-2026-20607
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
kcp kcp to 0.29.3 (exc)
kcp kcp From 0.30.0 (inc) to 0.30.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-302 The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

Because the cache server lacks authentication and authorization, an attacker with access to the root shard can read sensitive data stored in the cache and modify it. This can lead to unauthorized data exposure and potential data integrity issues, compromising the security of workloads managed by kcp.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade kcp to version 0.30.3 or 0.29.3 or later, where the cache server is no longer directly exposed by the root shard without authentication or authorization.


Can you explain this vulnerability to me?

The vulnerability exists in kcp, a Kubernetes-like control plane. Prior to versions 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard without any authentication or authorization mechanisms. This means that anyone who can access the root shard can read from and write to the cache server without restrictions.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows unauthorized read and write access to the cache server due to lack of authentication and authorization. Such unauthorized access to potentially sensitive data could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and health information.

However, the provided information does not explicitly state the impact on compliance with these standards.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart