CVE-2026-39429: CWE-862: Missing Authorization in kcp-dev kcp
kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3.
AI Analysis
Technical Summary
The vulnerability identified as CVE-2026-39429 affects kcp versions prior to 0.30.3 and 0.29.3. The root shard exposes the cache server without implementing authentication or authorization controls, enabling unauthorized users with access to the root shard to perform read and write operations on the cache server. This is classified under CWE-862 (Missing Authorization) and CWE-302 (Authentication Bypass). The CVSS 3.1 base score is 8.2, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, high confidentiality impact, low integrity impact, and no availability impact. The vulnerability is addressed by updating to versions 0.30.3 or 0.29.3 where proper access controls are enforced.
Potential Impact
An attacker who can access the root shard in affected versions of kcp can read and modify cache server data without any authentication or authorization. This leads to a high confidentiality impact and a low integrity impact. There is no impact on availability. The vulnerability could allow unauthorized disclosure and partial modification of sensitive data managed by the cache server.
Mitigation Recommendations
This vulnerability is fixed in kcp versions 0.30.3 and 0.29.3. Users should upgrade to one of these versions or later to ensure proper authentication and authorization are enforced on the cache server. Patch status is confirmed fixed in these versions. No additional mitigations are indicated by the vendor advisory.
CVE-2026-39429: CWE-862: Missing Authorization in kcp-dev kcp
Description
kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability identified as CVE-2026-39429 affects kcp versions prior to 0.30.3 and 0.29.3. The root shard exposes the cache server without implementing authentication or authorization controls, enabling unauthorized users with access to the root shard to perform read and write operations on the cache server. This is classified under CWE-862 (Missing Authorization) and CWE-302 (Authentication Bypass). The CVSS 3.1 base score is 8.2, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, high confidentiality impact, low integrity impact, and no availability impact. The vulnerability is addressed by updating to versions 0.30.3 or 0.29.3 where proper access controls are enforced.
Potential Impact
An attacker who can access the root shard in affected versions of kcp can read and modify cache server data without any authentication or authorization. This leads to a high confidentiality impact and a low integrity impact. There is no impact on availability. The vulnerability could allow unauthorized disclosure and partial modification of sensitive data managed by the cache server.
Mitigation Recommendations
This vulnerability is fixed in kcp versions 0.30.3 and 0.29.3. Users should upgrade to one of these versions or later to ensure proper authentication and authorization are enforced on the cache server. Patch status is confirmed fixed in these versions. No additional mitigations are indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-07T00:23:30.596Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d6bc281cc7ad14daadeade
Added to database: 4/8/2026, 8:35:52 PM
Last enriched: 4/8/2026, 8:50:53 PM
Last updated: 4/9/2026, 8:15:47 AM
Views: 14
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.