{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39429", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T00:23:30.596Z", "datePublished": "2026-04-08T20:16:04.015Z", "dateUpdated": "2026-04-10T20:49:31.041Z"}, "containers": {"cna": {"title": "kcp's cache server is accessible without authentication or authorization checks", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-302", "lang": "en", "description": "CWE-302: Authentication Bypass by Assumed-Immutable Data", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/kcp-dev/kcp/security/advisories/GHSA-3j3q-wp9x-585p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kcp-dev/kcp/security/advisories/GHSA-3j3q-wp9x-585p"}, {"name": "https://github.com/kcp-dev/kcp/releases/tag/v0.29.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/kcp-dev/kcp/releases/tag/v0.29.3"}, {"name": "https://github.com/kcp-dev/kcp/releases/tag/v0.30.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/kcp-dev/kcp/releases/tag/v0.30.3"}], "affected": [{"vendor": "kcp-dev", "product": "kcp", "versions": [{"version": ">= 0.30.0, < 0.30.3", "status": "affected"}, {"version": "< 0.29.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T20:16:04.015Z"}, "descriptions": [{"lang": "en", "value": "kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3."}], "source": {"advisory": "GHSA-3j3q-wp9x-585p", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T20:49:20.729406Z", "id": "CVE-2026-39429", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T20:49:31.041Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39429", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T20:49:20.729406Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T20:49:27.033Z"}}], "cna": {"title": "kcp's cache server is accessible without authentication or authorization checks", "source": {"advisory": "GHSA-3j3q-wp9x-585p", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "kcp-dev", "product": "kcp", "versions": [{"status": "affected", "version": ">= 0.30.0, < 0.30.3"}, {"status": "affected", "version": "< 0.29.3"}]}], "references": [{"url": "https://github.com/kcp-dev/kcp/security/advisories/GHSA-3j3q-wp9x-585p", "name": "https://github.com/kcp-dev/kcp/security/advisories/GHSA-3j3q-wp9x-585p", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/kcp-dev/kcp/releases/tag/v0.29.3", "name": "https://github.com/kcp-dev/kcp/releases/tag/v0.29.3", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/kcp-dev/kcp/releases/tag/v0.30.3", "name": "https://github.com/kcp-dev/kcp/releases/tag/v0.30.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-302", "description": "CWE-302: Authentication Bypass by Assumed-Immutable Data"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T20:16:04.015Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39429", "state": "PUBLISHED", "dateUpdated": "2026-04-10T20:49:31.041Z", "dateReserved": "2026-04-07T00:23:30.596Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-08T20:16:04.015Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3."}], "id": "CVE-2026-39429", "lastModified": "2026-04-08T21:26:13.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T21:16:59.313", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/kcp-dev/kcp/releases/tag/v0.29.3"}, {"source": "security-advisories@github.com", "url": "https://github.com/kcp-dev/kcp/releases/tag/v0.30.3"}, {"source": "security-advisories@github.com", "url": "https://github.com/kcp-dev/kcp/security/advisories/GHSA-3j3q-wp9x-585p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-302"}, {"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.30.0,0.30.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.29.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "kcp", "source": "cna", "vendor": "kcp-dev"}, "product": "kcp", "vendor": "kcp-dev"}], "analysis": {"en": {"generated_at": "2026-04-08T21:22:48.399531+00:00", "value": {"mitigation_remediation": ["Upgrade kcp to version 0.29.3 or 0.30.3."], "summary": {"action": "Immediate Patch", "impact": "Unrestricted Access to Cache Server"}, "threat_synthesis": {"affected_systems": "kcp, a Kubernetes\u2011like control plane developed by kcp\u2011dev, is affected. All releases prior to 0.29.3 and prior to 0.30.3 expose the vulnerability. This includes kcp 0.29.x up to 0.29.2 and kcp 0.30.x up to 0.30.2.", "description_and_impact": "The cache server in kcp, before versions 0.29.3 and 0.30.3, can be accessed directly from the root shard without any authentication or authorization checks. This flaw allows an attacker who can reach the root shard to read from or write to the cache, effectively compromising data confidentiality and integrity. Exploitation requires only network connectivity to the root shard, with no additional privileges needed.", "risk_and_exploitability": "The vulnerability carries a CVSS base score of 8.2, categorizing it as high severity. The exploit probability is not quantified, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is network\u2011based, requiring access to the root shard. Because no authentication is enforced, any party that can contact the root shard can immediately exploit the flaw, making it a significant risk for environments that expose kcp to external networks."}}}}, "created": "2026-04-09T08:18:00.834343+00:00", "updated": "2026-04-09T08:27:23.914079+00:00", "vendors": ["kcp-dev", "kcp-dev$PRODUCT$kcp"]}