CVE-2025-29922
📋 TL;DR
This vulnerability in kcp allows attackers to create or delete objects in any arbitrary target workspace via the APIExport VirtualWorkspace, bypassing the intended access controls. Attackers can perform these actions even when no APIBinding exists or when permission claims have been explicitly rejected. This affects all kcp deployments prior to version 0.26.3.
💻 Affected Systems
- kcp
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all workspaces, allowing unauthorized creation/deletion of critical resources, potential data destruction, and privilege escalation across the entire kcp deployment.
Likely Case
Unauthorized modification or deletion of resources in workspaces where the attacker shouldn't have access, potentially disrupting operations or exfiltrating sensitive data.
If Mitigated
Limited impact if network segmentation and strict access controls prevent unauthorized API access, though the vulnerability still exists at the application layer.
🎯 Exploit Status
Exploitation requires API access but is straightforward once access is obtained. The vulnerability is in the authorization logic, making exploitation simple for authenticated users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.26.3 or 0.27.0
Vendor Advisory: https://github.com/kcp-dev/kcp/security/advisories/GHSA-w2rr-38wv-8rrp
Restart Required: Yes
Instructions:
1. Stop kcp services. 2. Backup configuration and data. 3. Upgrade to kcp version 0.26.3 or 0.27.0. 4. Restart kcp services. 5. Verify the upgrade was successful.
🔧 Temporary Workarounds
Restrict API Access
linuxLimit network access to kcp API endpoints to only trusted sources using firewall rules or network policies.
# Example using iptables: iptables -A INPUT -p tcp --dport <kcp-port> -s <trusted-ip> -j ACCEPT
iptables -A INPUT -p tcp --dport <kcp-port> -j DROP
Disable APIExport VirtualWorkspace
allIf not required, disable the vulnerable APIExport VirtualWorkspace feature entirely.
# Modify kcp configuration to disable virtual workspace features
# Check kcp documentation for specific configuration options
🧯 If You Can't Patch
- Implement strict network segmentation to isolate kcp API endpoints from untrusted networks
- Enforce least-privilege access controls and audit all API access logs for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check kcp version: if version is less than 0.26.3, the system is vulnerable.Check Version:
kcp version | grep -i versionVerify Fix Applied:
After patching, verify version is 0.26.3 or higher and test that APIExport VirtualWorkspace properly enforces APIBinding requirements.📡 Detection & Monitoring
Log Indicators:
- Unauthorized API calls to create/delete objects in workspaces without proper APIBinding
- API requests to APIExport VirtualWorkspace endpoints from unexpected sources
- Failed authorization attempts followed by successful object modifications
Network Indicators:
- Unusual API traffic patterns to kcp endpoints
- Requests to APIExport VirtualWorkspace from unauthorized IP addresses
SIEM Query:
source="kcp-logs" AND ("APIExport" OR "VirtualWorkspace") AND ("create" OR "delete") AND NOT "APIBinding"