Nixpkgs security tracker

Untriaged

Permalink CVE-2026-39429

8.2 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): LOW
Availability impact (A): NONE

created 6 days, 18 hours ago

kcp's cache server is accessible without authentication or authorization checks

kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. This vulnerability is fixed in 0.30.3 and 0.29.3.

References

https://github.com/kcp-dev/kcp/security/advisories/GHSA-3j3q-wp9x-585p x_refsource_CONFIRM
https://github.com/kcp-dev/kcp/releases/tag/v0.29.3 x_refsource_MISC
https://github.com/kcp-dev/kcp/releases/tag/v0.30.3 x_refsource_MISC

Affected products

kcp

==>= 0.30.0, < 0.30.3
==< 0.29.3

Matching in nixpkgs

pkgs.kcp

Fast and Reliable ARQ Protocol

nixos-unstable 1.7
- nixpkgs-unstable 1.7
- nixos-unstable-small 1.7
nixos-25.11 1.7
- nixos-25.11-small 1.7
- nixpkgs-25.11-darwin 1.7

pkgs.kubernetes-kcp

Kubernetes-like control planes for form-factors and use-cases beyond Kubernetes and container workloads

nixos-unstable 0.29.0
- nixpkgs-unstable 0.29.0
- nixos-unstable-small 0.29.0
nixos-25.11 0.28.3
- nixos-25.11-small 0.28.3
- nixpkgs-25.11-darwin 0.28.3

Package maintainers

@rytswd Ryota <rytswd@gmail.com>