kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is…

CVE-2026-39429 affects kcp, a Kubernetes-like control plane platform. The vulnerability exists in versions prior to 0.30.3 and 0.29.3 where the cache server is directly exposed by the root shard without any authentication or authorization mechanisms. This allows unauthorized users who can access the root shard to perform read and write operations on the cache server. The issue has been resolved in versions 0.30.3 and 0.29.3. This represents a significant security flaw that could lead to unauthorized data access and manipulation in affected kcp deployments.