GHSA-3J3Q-WP9X-585P vulnerabilities

Vulnerabilities for packages: kcp, kcp-fips, kcp-fips-0.29, kcp-0.29...

CVE-2026-39429 vulnerabilities

Vulnerabilities for packages: kcp, kcp-fips, kcp-fips-0.29, kcp-0.29...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization due to missing authentication and authorization checks in the cache server. An attacker can gain unauthorized read and write access by sending requests directly to the exposed service. Remediation Upgrade...

CVE-2026-39429

The CVE-2026-39429 issue in kcp affects the root shard’s cache server, which before versions 0.30.3 and 0.29.3 was exposed with no authentication/authorization. The cache server could be read from and written to by anyone who can reach the root shard, enabling unauthorized access to cached resour...

CVE-2026-39429 kcp's cache server is accessible without authentication or authorization checks

kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard...

CVE-2026-39429 kcp's cache server is accessible without authentication or authorization checks

kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard...

GO-2025-3985 kcp is missing update validation allows arbitrary LogicalCluster status patches through initializingworkspaces Virtual Workspace in github.com/kcp-dev/kcp

kcp is missing update validation allows arbitrary LogicalCluster status patches through initializingworkspaces Virtual Workspace in github.com/kcp-dev/kcp...

EUVD-2025-7159

Malicious code in bioql PyPI...

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization through the APIExport VirtualWorkspace. An attacker can create and delete objects in arbitrary target workspaces without the necessary permissions by exploiting this vulnerability. Workaround This vulnerability ca...

CVE-2025-29922

kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.26.3, the identified vulnerability allows creating or deleting an object via the APIExport VirtualWorkspace in any arbitrary target workspace for pre-existing resources. By...

CVE-2025-29922 kcp allows unauthorized creation and deletion of objects in arbitrary workspaces through APIExport Virtual Workspace

kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.26.3, the identified vulnerability allows creating or deleting an object via the APIExport VirtualWorkspace in any arbitrary target workspace for pre-existing resources. By...

CVE-2025-29922 kcp allows unauthorized creation and deletion of objects in arbitrary workspaces through APIExport Virtual Workspace

kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.26.3, the identified vulnerability allows creating or deleting an object via the APIExport VirtualWorkspace in any arbitrary target workspace for pre-existing resources. By...

CVE-2025-29922 kcp allows unauthorized creation and deletion of objects in arbitrary workspaces through APIExport Virtual Workspace

kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.26.3, the identified vulnerability allows creating or deleting an object via the APIExport VirtualWorkspace in any arbitrary target workspace for pre-existing resources. By...

kcp 授权问题漏洞

kcp is kcp-dev open source a Kubernetes-like control plane for Kubernetes and containers. An authorization issue vulnerability exists in kcp versions prior to 0.26.3, which stems from APIExport VirtualWorkspace allowing objects to be created or deleted in an arbitrary target workspace, potentiall...

GO-2024-3325 kcp's impersonation allows access to global administrative groups in github.com/kcp-dev/kcp

kcp's impersonation allows access to global administrative groups in github.com/kcp-dev/kcp...

GHSA-C7XH-GJV4-4JGV kcp's impersonation allows access to global administrative groups

Impact Impersonation is a feature of the Kubernetes API, allowing to override user information. As downstream project, kcp inherits this feature. As per the linked documentation a specific level of privilege usually assigned to cluster admins is required for impersonation. The vulnerability in kc...

Tor: Snowflake server: Leak of TLS packets from other clients

TLS packets from other clients were leaked to Snowflake clients due to a vulnerability in the Snowflake pluggable transport server. This issue allowed Snowflake clients to receive "ghost" packets at the KCP layer, containing TLS packets unrelated to the current session. The leaked packets include...

Cross-site scripting vulnerability in wordpress plugin woopay-kcp

WordPress is a blogging platform developed using the PHP language, which supports personal blog sites on servers with PHP and MySQL. A cross-site scripting vulnerability exists in the Wordpress plugin woopay-kcp. The program fails to filter user-supplied input, allowing an attacker to construct a...