CVE-2026-39429
Published: 08 April 2026
Summary
CVE-2026-39429 is a high-severity Authentication Bypass by Assumed-Immutable Data (CWE-302) vulnerability in Kcp Kcp. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-39429 is a security vulnerability in kcp, a Kubernetes-like control plane designed for form-factors and use-cases beyond Kubernetes and container workloads. In versions prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard without any authentication or authorization mechanisms. This flaw, linked to CWE-302 and CWE-862, enables unauthorized parties with access to the root shard to perform read and write operations on the cache server.
The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), making it remotely exploitable over the network with low attack complexity and no user interaction or privileges required. Any attacker able to reach the root shard endpoint can extract sensitive cached data, achieving high confidentiality impact, and make limited modifications to cache contents, resulting in low integrity impact without affecting availability.
Mitigation is available through upgrades to kcp versions 0.30.3 or 0.29.3, which address the exposure. Additional details are provided in the GitHub security advisory (GHSA-3j3q-wp9x-585p) and release notes at https://github.com/kcp-dev/kcp/releases/tag/v0.29.3 and https://github.com/kcp-dev/kcp/releases/tag/v0.30.3.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-20607
Vulnerability details
kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows…
more
anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability exposes a cache server via the root shard endpoint without authentication or authorization, enabling remote network attackers to read sensitive data and perform limited writes, directly facilitating T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for logical access to system resources, directly addressing the lack of authentication and authorization allowing unauthorized read/write to the exposed cache server.
Requires identification and authentication for system services and applications, mitigating unauthenticated access to the cache server via the root shard.
Limits and documents actions permitted without identification or authentication, preventing broad read/write capabilities on the unprotected cache server.