CVE-2025-29922

Published: Mar 20, 2025

Modified: Mar 20, 2025

PUBLISHED

CVSS v3.1

9.6

CRITICAL

Description

kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.26.3, the identified vulnerability allows creating or deleting an object via the APIExport VirtualWorkspace in any arbitrary target workspace for pre-existing resources. By design, this should only be allowed when the workspace owner decides to give access to an API provider by creating an APIBinding. With this vulnerability, it is possible for an attacker to create and delete objects even if none of these requirements are satisfied, i.e. even if there is no APIBinding in that workspace at all or the workspace owner has created an APIBinding, but rejected a permission claim. A fix for this issue has been identified and has been published with kcp 0.26.3 and 0.27.0.

Vendor	Product	Versions
kcp-dev	kcp	affected `< 0.26.3`

Weaknesses (CWE)

CWE-285

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/kcp-dev/kcp/security/advisories/GHSA-w2rr-38wv-8rrp

x_refsource_CONFIRM

https://github.com/kcp-dev/kcp/pull/3338

x_refsource_MISC

https://github.com/kcp-dev/kcp/commit/614ecbf35f11db00f65391ab6fbb1547ca8b5d38

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-29922

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References