What is CVE-2025-29922?

CVE-2025-29922 is a critical-severity vulnerability in Kcp-dev Kcp, classified under Improper Authorization. CVSS score: 9.6/10. Published 2025-03-20.

How severe is CVE-2025-29922?

Critical severity. CVSS v3 base score is 9.6 out of 10.

Auth bypass in Kcp-dev Kcp

CVE-2025-29922

kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.26.3, the identified vulnerability allows creating or deleting an object via the APIExport VirtualWorkspace in any…

EPSS: 0.002 (37.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.6 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N.

Affected products

Kcp-dev Kcp — versions < 0.26.3

Weakness classification (CWE)

CWE-285 — Improper Authorization

References

https://github.com/kcp-dev/kcp/security/advisories/GHSA-w2rr-38wv-8rrp (x_refsource_CONFIRM)
https://github.com/kcp-dev/kcp/pull/3338 (x_refsource_MISC)
https://github.com/kcp-dev/kcp/commit/614ecbf35f11db00f65391ab6fbb1547ca8b5d38 (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-29922?: CVE-2025-29922 is a critical-severity vulnerability in Kcp-dev Kcp, classified under Improper Authorization. CVSS score: 9.6/10. Published 2025-03-20.
How severe is CVE-2025-29922?: Critical severity. CVSS v3 base score is 9.6 out of 10.