CVE-2026-39429: kcp's cache server is accessible without authentication or authorization checks

April 8, 2026 (updated April 9, 2026)

The cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server.

References

github.com/advisories/GHSA-3j3q-wp9x-585p
github.com/kcp-dev/kcp
github.com/kcp-dev/kcp/releases/tag/v0.29.3
github.com/kcp-dev/kcp/releases/tag/v0.30.3
github.com/kcp-dev/kcp/security/advisories/GHSA-3j3q-wp9x-585p
nvd.nist.gov/vuln/detail/CVE-2026-39429

Code Behaviors & Features

Detect and mitigate CVE-2026-39429 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →