CVE-2025-29922

CVE-2025-29922 affects kcp, a Kubernetes-like control plane designed for form-factors and use-cases beyond Kubernetes and container workloads. In versions prior to 0.26.3, the vulnerability enables unauthorized creation or deletion of pre-existing objects via the APIExport VirtualWorkspace in any arbitrary target workspace. By design, such operations should only be permitted if the workspace owner explicitly grants access through an APIBinding, but this flaw allows them even without an APIBinding or if a permission claim has been rejected. It is rated at CVSS 9.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) and maps to CWE-285 (Improper Authorization).

A low-privileged remote attacker can exploit this vulnerability over the network with low complexity and no user interaction. By targeting the APIExport VirtualWorkspace mechanism, the attacker gains the ability to create or delete objects in arbitrary target workspaces, bypassing authorization controls and achieving high impacts on confidentiality and integrity across scoped boundaries.

The vulnerability has been addressed in kcp versions 0.26.3 and 0.27.0. Administrators should upgrade to these patched releases for mitigation. Additional details are available in the GitHub security advisory at GHSA-w2rr-38wv-8rrp, the fixing pull request #3338, and commit 614ecbf35f11db00f65391ab6fbb1547ca8b5d38.