CVE-2026-39429
Published: 08 April 2026
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2026-39429 is a security vulnerability in kcp, a Kubernetes-like control plane designed for form-factors and use-cases beyond Kubernetes and container workloads. In versions prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard without any authentication or authorization mechanisms. This flaw, linked to CWE-302 and CWE-862, enables unauthorized parties with access to the root shard to perform read and write operations on the cache server.
The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), making it remotely exploitable over the network with low attack complexity and no user interaction or privileges required. Any attacker able to reach the root shard endpoint can extract sensitive cached data, achieving high confidentiality impact, and make limited modifications to cache contents, resulting in low integrity impact without affecting availability.
Mitigation is available through upgrades to kcp versions 0.30.3 or 0.29.3, which address the exposure. Additional details are provided in the GitHub security advisory (GHSA-3j3q-wp9x-585p) and release notes at https://github.com/kcp-dev/kcp/releases/tag/v0.29.3 and https://github.com/kcp-dev/kcp/releases/tag/v0.30.3.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability exposes a cache server via the root shard endpoint without authentication or authorization, enabling remote network attackers to read sensitive data and perform limited writes, directly facilitating T1190: Exploit Public-Facing Application.