VDB

CVE-2026-39429

CVE-2026-39429 PUBLISHED CVSS 8.199999809265137 HIGH

kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3.

EPSS 0.11% · 29.7th percentile

Risk Scores

CVSS v3.1
8.199999809265137
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score
0.11%
29.7th percentile

Affected Products

VendorProductVersions
github.comkcp-dev/kcp0.30.0, 0
kcp-devkcp>= 0.30.0, < 0.30.3, < 0.29.3

Timeline

  • Apr 8, 2026 CVE Published
  • Apr 8, 2026 PoC Published
  • Apr 9, 2026 CVE Updated
  • Apr 9, 2026 Security Advisory
  • Apr 11, 2026 EPSS Score
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 22, 2026 EPSS Score
  • May 23, 2026 EPSS Score
  • May 24, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›