Cyber Resilience

CVE-2026-39429

HighPublic PoC

Published: 08 April 2026

Published
08 April 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0044 34.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-39429 is a high-severity Authentication Bypass by Assumed-Immutable Data (CWE-302) vulnerability in Kcp Kcp. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-39429 is a security vulnerability in kcp, a Kubernetes-like control plane designed for form-factors and use-cases beyond Kubernetes and container workloads. In versions prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard without any authentication or authorization mechanisms. This flaw, linked to CWE-302 and CWE-862, enables unauthorized parties with access to the root shard to perform read and write operations on the cache server.

The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), making it remotely exploitable over the network with low attack complexity and no user interaction or privileges required. Any attacker able to reach the root shard endpoint can extract sensitive cached data, achieving high confidentiality impact, and make limited modifications to cache contents, resulting in low integrity impact without affecting availability.

Mitigation is available through upgrades to kcp versions 0.30.3 or 0.29.3, which address the exposure. Additional details are provided in the GitHub security advisory (GHSA-3j3q-wp9x-585p) and release notes at https://github.com/kcp-dev/kcp/releases/tag/v0.29.3 and https://github.com/kcp-dev/kcp/releases/tag/v0.30.3.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows…

more

anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability exposes a cache server via the root shard endpoint without authentication or authorization, enabling remote network attackers to read sensitive data and perform limited writes, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-69311Shared CWE-862
CVE-2026-3266Shared CWE-862
CVE-2026-45438Shared CWE-862
CVE-2025-23477Shared CWE-862
CVE-2025-68834Shared CWE-862
CVE-2026-22663Shared CWE-862
CVE-2024-12544Shared CWE-862
CVE-2024-50967Shared CWE-862
CVE-2025-68059Shared CWE-862
CVE-2025-14070Shared CWE-862

Affected Assets

kcp
kcp
≤ 0.29.3 · 0.30.0 — 0.30.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access to system resources, directly addressing the lack of authentication and authorization allowing unauthorized read/write to the exposed cache server.

prevent

Requires identification and authentication for system services and applications, mitigating unauthenticated access to the cache server via the root shard.

prevent

Limits and documents actions permitted without identification or authentication, preventing broad read/write capabilities on the unprotected cache server.

References