Summary: A critical vulnerability (CVE-2025-29922) in the kcp project allows unauthorized creation and deletion of objects across arbitrary workspaces through the APIExport Virtual Workspace, despite the intended access controls. With a CVSS score of 9.6, this issue poses significant security risks for users in multi-tenant environment configurations. Users are urged to upgrade to patched versions 0.26.3 or 0.27.0, and temporary workarounds are provided for those unable to upgrade immediately.
Affected: kcp project (Kubernetes-like control plane)
Keypoints :
- Vulnerability allows unauthorized actions within any workspace via APIExport Virtual Workspace.
- Attacker can create/delete objects irrespective of existing permissions or APIBindings.
- Users should upgrade to versions 0.26.3 or 0.27.0 to mitigate risks.
- Suggested workarounds include limiting access to APIExport resources and filtering requests through reverse proxies.