Skip to main content

Mondoo

Vulnerability Management
Technology
Services

Solutions

Financial Services
Manufacturing
Healthcare

Resources

Blog
Vulnerability Database
Documentation
GitHub

Company

About
Careers
Partners
Contact

Legal

Privacy
Terms
Imprint

© 2026 Mondoo, Inc.

Log in Get Assessment

Vulnerability IntelligenceCVE-2026-39429

CVE-2026-39429

HIGH8.2

kcp's cache server is accessible without authentication or authorization checks

Published Apr 8, 2026

Modified Yesterday

Details

kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3.

References

https://github.com/kcp-dev/kcp/releases/tag/v0.29.3

https://github.com/kcp-dev/kcp/releases/tag/v0.30.3

https://github.com/kcp-dev/kcp/security/advisories/GHSA-3j3q-wp9x-585p

https://www.cve.org/CVERecord?id=CVE-2026-39429

CVSS Analysis

CVSS v3.1

8.2

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

Scope

UnchangedS:U

Impact

Confidentiality

HighC:H

Integrity

LowI:L

Availability

NoneA:N

8.2/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Weakness Type (CWE)

Access Control

Missing Authorization

Other

Ecosystems

Timeline

PublishedApr 8, 2026

ModifiedApr 10, 2026

CVE-2026-39429 | Mondoo Vulnerability Intelligence