CVE-2026-39429: CWE-862: Missing Authorization in kcp-dev kcp
kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3.
AI Analysis
Technical Summary
The vulnerability in kcp-dev's kcp affects versions >= 0.30.0 and < 0.30.3, and all versions below 0.29.3. The root shard exposes the cache server directly without implementing authentication or authorization controls. This lack of access control permits any entity with access to the root shard to perform unauthorized read and write operations on the cache server. The issue is categorized under CWE-862 (Missing Authorization) and CWE-302 (Improper Access Control). The vulnerability has a CVSS 3.1 base score of 8.2, indicating high severity, with network attack vector, low attack complexity, no privileges required, no user interaction, and high confidentiality impact but limited integrity impact. The vulnerability is fixed in versions 0.30.3 and 0.29.3.
Potential Impact
An attacker who can access the root shard in affected versions can read and modify data in the cache server without any authorization. This compromises confidentiality and partially impacts integrity of the system. There is no indication of impact on availability. The vulnerability could allow unauthorized data exposure and unauthorized data modification within the kcp control plane environment.
Mitigation Recommendations
This vulnerability is fixed in kcp versions 0.30.3 and 0.29.3. Users should upgrade to at least these versions to remediate the issue. Since the vendor advisory confirms the fix availability, upgrading is the recommended and effective mitigation. No additional mitigations are indicated.
CVE-2026-39429: CWE-862: Missing Authorization in kcp-dev kcp
Description
kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in kcp-dev's kcp affects versions >= 0.30.0 and < 0.30.3, and all versions below 0.29.3. The root shard exposes the cache server directly without implementing authentication or authorization controls. This lack of access control permits any entity with access to the root shard to perform unauthorized read and write operations on the cache server. The issue is categorized under CWE-862 (Missing Authorization) and CWE-302 (Improper Access Control). The vulnerability has a CVSS 3.1 base score of 8.2, indicating high severity, with network attack vector, low attack complexity, no privileges required, no user interaction, and high confidentiality impact but limited integrity impact. The vulnerability is fixed in versions 0.30.3 and 0.29.3.
Potential Impact
An attacker who can access the root shard in affected versions can read and modify data in the cache server without any authorization. This compromises confidentiality and partially impacts integrity of the system. There is no indication of impact on availability. The vulnerability could allow unauthorized data exposure and unauthorized data modification within the kcp control plane environment.
Mitigation Recommendations
This vulnerability is fixed in kcp versions 0.30.3 and 0.29.3. Users should upgrade to at least these versions to remediate the issue. Since the vendor advisory confirms the fix availability, upgrading is the recommended and effective mitigation. No additional mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-07T00:23:30.596Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d6bc281cc7ad14daadeade
Added to database: 4/8/2026, 8:35:52 PM
Last enriched: 4/16/2026, 11:59:02 AM
Last updated: 5/23/2026, 11:14:28 PM
Views: 73
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.