CVE-2026-39429

Name of the Vulnerable Software and Affected Versions kcp versions prior to 0.30.3 and prior to 0.29.3

Description Prior to versions 0.30.3 and 0.29.3, the cache server in kcp is directly exposed by the root shard without authentication or authorization. This allows anyone who can access the root shard to read and write to the cache server. An attacker can read all replicated resources from the cache, including RBAC data, cluster topology, API surfaces, admission control configurations, tenancy information, and cache metadata. A race condition exists that could allow temporary privilege escalation through full CRUD operations on the cache server, although practical exploitability is low. The replication controller acts as a self-healing mechanism, deleting injected objects almost instantly.

Recommendations Upgrade to kcp version 0.30.3 or later. Upgrade to kcp version 0.29.3 or later.