CVE-2026-39429

Source
https://cve.org/CVERecord?id=CVE-2026-39429
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39429.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-39429
Aliases
Related
Published
2026-04-08T20:16:04.015Z
Modified
2026-07-08T08:12:29.909119210Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
Summary
kcp's cache server is accessible without authentication or authorization checks
Details

kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39429.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-302",
        "CWE-862"
    ]
}
References

Affected packages

Git / github.com/kcp-dev/kcp

Affected ranges

Type
GIT
Repo
https://github.com/kcp-dev/kcp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:kcp:kcp:*:*:*:*:*:*:*:*",
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.29.3"
        },
        {
            "introduced": "0.30.0"
        },
        {
            "fixed": "0.30.3"
        }
    ]
}

Affected versions

cli/v0.*
cli/v0.23.0
cli/v0.24.0
cli/v0.25.0
cli/v0.26.0
cli/v0.26.0-rc1
cli/v0.27.0
cli/v0.27.0-rc.0
cli/v0.27.0-rc.1
cli/v0.28.0
pkg/apis/v0.*
pkg/apis/v0.10.0
pkg/apis/v0.11.0
pkg/apis/v0.11.0-alpha.0
pkg/apis/v0.11.0-alpha.1
pkg/apis/v0.5.0-alpha.1
pkg/apis/v0.7.0
pkg/apis/v0.8.0
pkg/apis/v0.9.0
sdk/v0.*
sdk/v0.20.0
sdk/v0.21.0
sdk/v0.22.0
sdk/v0.23.0
sdk/v0.24.0
sdk/v0.25.0
sdk/v0.26.0
sdk/v0.26.0-rc1
sdk/v0.27.0
sdk/v0.27.0-rc.0
sdk/v0.27.0-rc.1
sdk/v0.28.0
v0.*
v0.10.0
v0.11.0
v0.11.0-alpha.0
v0.11.0-alpha.1
v0.20.0
v0.21.0
v0.22.0
v0.23.0
v0.24.0
v0.25.0
v0.26.0
v0.26.0-rc1
v0.27.0
v0.27.0-rc.0
v0.27.0-rc.1
v0.28.0
v0.29.0
v0.29.0-rc.0
v0.29.0-rc.1
v0.29.1
v0.29.2
v0.3.0-alpha.0
v0.3.0-beta.1
v0.30.0
v0.30.1
v0.30.2
v0.4.0-alpha.0
v0.5.0-alpha.0
v0.5.0-alpha.1
v0.6.0-alpha.0
v0.7.0
v0.8.0
v0.9.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39429.json"