CVE-2025-29922

Name of the Vulnerable Software and Affected Versions kcp versions prior to 0.26.3

Description The issue allows creating or deleting an object via the APIExport VirtualWorkspace in any arbitrary target workspace for pre-existing resources, even if there is no APIBinding in that workspace or the workspace owner has rejected a permission claim. This is possible because the vulnerability bypasses the requirement for an APIBinding to be created by the workspace owner, allowing unauthorized access.

Recommendations For versions prior to 0.26.3, update to version 0.26.3 or 0.27.0 to resolve the issue. As a temporary workaround, consider restricting access to the APIExport VirtualWorkspace to minimize the risk of exploitation. Avoid using the APIExport VirtualWorkspace until the issue is resolved by updating to a fixed version.