CVE-2026-39429 HIGH

CVE-2026-39429: kcp's cache server is accessible without authentication or authorization checks

Vendor Kcp-Dev
Product kcp
Weakness CWE-862 · Missing authorization
Published April 8, 2026
Last update April 10, 2026
View on NVD All CVEs

CVSS base score

8.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3.

Key dates

02Disclosure timeline

April 8, 2026 CVE published
April 10, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-7624 SEO Plugin by Squirrly SEO <= 12.4.16 - Missing Authorization to Authenticated (Contributor+) Privileged Cloud API Operations CVE-2024-43229 WordPress WP Search Analytics plugin <= 1.4.9 - Broken Access Control vulnerability CVE-2024-33588 WordPress basepress plugin <= 2.16.1 - Broken Access Control vulnerability CVE-2025-31596 WordPress Chat by Chatwee plugin <= 2.1.3 - Broken Access Control vulnerability CVE-2025-64263 WordPress WP Content Pilot plugin <= 2.1.7 - Broken Access Control vulnerability