CVE-2026-39429
Published: 08 April 2026
Summary
CVE-2026-39429 is a high-severity Authentication Bypass by Assumed-Immutable Data (CWE-302) vulnerability in Kcp Kcp. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access to system resources, directly addressing the lack of authentication and authorization allowing unauthorized read/write to the exposed cache server.
Requires identification and authentication for system services and applications, mitigating unauthenticated access to the cache server via the root shard.
Limits and documents actions permitted without identification or authentication, preventing broad read/write capabilities on the unprotected cache server.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability exposes a cache server via the root shard endpoint without authentication or authorization, enabling remote network attackers to read sensitive data and perform limited writes, directly facilitating T1190: Exploit Public-Facing Application.
NVD Description
kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows…
more
anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3.
Deeper analysisAI
CVE-2026-39429 is a security vulnerability in kcp, a Kubernetes-like control plane designed for form-factors and use-cases beyond Kubernetes and container workloads. In versions prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard without any authentication or authorization mechanisms. This flaw, linked to CWE-302 and CWE-862, enables unauthorized parties with access to the root shard to perform read and write operations on the cache server.
The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), making it remotely exploitable over the network with low attack complexity and no user interaction or privileges required. Any attacker able to reach the root shard endpoint can extract sensitive cached data, achieving high confidentiality impact, and make limited modifications to cache contents, resulting in low integrity impact without affecting availability.
Mitigation is available through upgrades to kcp versions 0.30.3 or 0.29.3, which address the exposure. Additional details are provided in the GitHub security advisory (GHSA-3j3q-wp9x-585p) and release notes at https://github.com/kcp-dev/kcp/releases/tag/v0.29.3 and https://github.com/kcp-dev/kcp/releases/tag/v0.30.3.
Details
- CWE(s)