Improper Access Control

kcp is vulnerable to Improper Access Control. The vulnerability is due to the cache server being exposed without authentication or authorization controls, which allows an attacker to read from and write to the cache server if they can access the root shard...

CVE-2026-39429

kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard...

CVE-2026-39429

The CVE-2026-39429 issue in kcp affects the root shard’s cache server, which before versions 0.30.3 and 0.29.3 was exposed with no authentication/authorization. The cache server could be read from and written to by anyone who can reach the root shard, enabling unauthorized access to cached resour...

GHSA-3J3Q-WP9X-585P kcp's cache server is accessible without authentication or authorization checks

Summary The cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. Details The cache server is routed in the pre-mux chain in the shard code. The...

PT-2026-31352

Summary The cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. Details The cache server is routed in the pre-mux chain in the shard code. The...