Nixpkgs security tracker

Untriaged

Permalink CVE-2026-39429

8.2 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

created 1 month, 2 weeks ago Activity log

Created suggestion 1 month, 2 weeks ago

kcp's cache server is accessible without authentication or authorization checks

kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3.

References

https://github.com/kcp-dev/kcp/security/advisories/GHSA-3j3q-wp9x-585p x_refsource_CONFIRM
https://github.com/kcp-dev/kcp/releases/tag/v0.29.3 x_refsource_MISC
https://github.com/kcp-dev/kcp/releases/tag/v0.30.3 x_refsource_MISC

Affected products

kcp

==< 0.29.3
==>= 0.30.0, < 0.30.3

Matching in nixpkgs

pkgs.kcp

Fast and Reliable ARQ Protocol

nixos-unstable 1.7
- nixpkgs-unstable 1.7
- nixos-unstable-small 1.7
nixos-25.11 1.7
- nixos-25.11-small 1.7
- nixpkgs-25.11-darwin 1.7

pkgs.kubernetes-kcp

Kubernetes-like control planes for form-factors and use-cases beyond Kubernetes and container workloads

nixos-unstable 0.29.0
- nixpkgs-unstable 0.29.0
- nixos-unstable-small 0.29.0
nixos-25.11 0.28.3
- nixos-25.11-small 0.28.3
- nixpkgs-25.11-darwin 0.28.3

Package maintainers