Remote Code Execution Vulnerability in KCP Control Plane by KCP Dev
CVE-2025-29922

9.6CRITICAL

Key Information:

Vendor

Kcp-dev

Status
Kcp
Vendor
CVE Published:
20 March 2025

What is CVE-2025-29922?

A serious vulnerability exists in the KCP Control Plane, allowing unauthorized users to create or delete objects within any target workspace via the APIExport VirtualWorkspace. This issue arises due to inadequate access control measures, which deviate from the intended design where only workspace owners should permit API providers through APIBindings. As a result, attackers can exploit this weakness to manipulate resources even without valid APIBindings, or despite denied permission claims. A resolution has been released in versions 0.26.3 and 0.27.0.

Affected Version(s)

kcp < 0.26.3

References

https://github.com/kcp-dev/kcp/security/advisories/GHSA-w...
x_refsource_CONFIRM
https://github.com/kcp-dev/kcp/pull/3338
x_refsource_MISC
https://github.com/kcp-dev/kcp/commit/614ecbf35f11db00f65...
x_refsource_MISC

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.