CVE-2026-39429

Exploit

EPSS 0.07%
Veröffentlicht 08.04.2026 20:16:04
Zuletzt bearbeitet 15.04.2026 19:15:39
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Kcp ≫ Kcp Version < 0.29.3

Kcp ≫ Kcp Version >= 0.30.0 < 0.30.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.208

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
security-advisories@github.com	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE-302 Authentication Bypass by Assumed-Immutable Data

The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/kcp-dev/kcp/security/advisories/GHSA-3j3q-wp9x-585p

Vendor Advisory

Exploit

Mitigation

https://github.com/kcp-dev/kcp/releases/tag/v0.29.3

Release Notes

https://github.com/kcp-dev/kcp/releases/tag/v0.30.3

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-39429

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-39429

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-39429

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-39429