kcp Cache Server (CVE-2026-39429)

Vendor-confirmed - CVE-2026-39429 is a high privilege-escalation in kcp versions before 0.30.3 and 0.29.3 that grants unauthenticated network attackers full read and write access to the root shard’s cache server, bypassing all security boundaries. Upgrade immediately to prevent data exposure or control-plane compromise.

Overview

A high-severity security vulnerability, CVE-2026-39429, has been identified in kcp, a Kubernetes-like control plane. The flaw resides in the root shard component, where the integrated cache server is directly exposed without any authentication or authorization controls. This allows any network-accessible attacker to interact with the cache server freely.

Vulnerability Details

In affected versions, the cache server endpoint on the root shard is completely unprotected. With an Attack Vector of NETWORK, Attack Complexity of LOW, and requiring NO privileges or user interaction, an attacker who can reach the root shard’s network interface gains full read and write access to the cache. This effectively bypasses all intended security boundaries for that component.

Impact

The impact of this vulnerability is significant. An attacker could read sensitive cached data, potentially exposing configuration details, state information, or other operational secrets. More critically, they could write malicious or corrupted data to the cache, leading to service disruption, data integrity issues, or enabling further attacks by poisoning the control plane’s data. In a worst-case scenario, this could be a stepping stone to compromising the broader kcp deployment.

Remediation and Mitigation

The primary and immediate remediation is to upgrade kcp to a patched version.

• Upgrade to version 0.30.3 if you are on the 0.30.x branch.
• Upgrade to version 0.29.3 if you are on the 0.29.x branch.

These versions have implemented the necessary authentication and authorization for the cache server endpoint. If an immediate upgrade is not possible, you must ensure the root shard is not accessible from untrusted networks. Implement strict network access controls (firewalls, security groups) to restrict access to the root shard’s management interfaces exclusively to authorized administrative hosts. Monitor for any suspicious access attempts, as this flaw could be a precursor to a larger compromise.

Security Insight

This vulnerability highlights the persistent risk of management and auxiliary services being deployed with “convenience over security” defaults. Similar to past incidents where Redis or etcd instances were left exposed without authentication, it underscores that control plane components, even those not directly serving user workloads, are high-value attack surfaces. For more on how such flaws can lead to major incidents, review historical breach reports.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs