Home / Vulnerability Intelligence / CVE-2026-39429

CVE-2026-39429 - Vulnerability Analysis

HighCVSS: 8.2

Last Updated: April 8, 2026

kcp - Broken Access Control

Published: April 8, 2026Updated: April 8, 2026Remote Exploitable

Overview

kcp < 0.30.3 and < 0.29.3 contains a broken access control vulnerability caused by unauthenticated and unauthorized access to the cache server exposed by the root shard, letting attackers read and write cache data, exploit requires access to the root shard.

Severity & Score

Severity: High

CVSS Score: 8.2

Impact

Attackers with root shard access can read and modify cache data, potentially compromising system integrity and confidentiality.

Mitigation

Update to version 0.30.3 or 0.29.3 or later.

References

https://github.com/kcp-dev/kcp/releases/tag/v0.29.3
https://github.com/kcp-dev/kcp/releases/tag/v0.30.3
https://github.com/kcp-dev/kcp/security/advisories/GHSA-3j3q-wp9x-585p

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-39429
Severity: High
CVSS Score: 8.2
Type: broken_access_control
Status: unconfirmed

CWE

CWE-302

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N