do son 
A high-severity vulnerability has been identified in the kcp project, a Kubernetes-like control plane designed for multi-tenant environments. The vulnerability, tracked as CVE-2025-29922 with a CVSS score of 9.6, allows for unauthorized creation and deletion of objects in arbitrary workspaces through the APIExport Virtual Workspace.
kcp is designed to provide a control plane for many independent, isolated “clusters” known as workspaces. It enables API service providers to offer APIs centrally using multi-tenant operators and simplifies API consumption for users in their workspaces. The APIExport Virtual Workspace plays a crucial role in managing objects within these workspaces, allowing API providers to access API consumers’ workspaces to deliver their services.
However, the identified vulnerability allows for the creation or deletion of objects via the APIExport Virtual Workspace in any target workspace for pre-existing resources. This breaks the intended design, which dictates that such actions should only be permitted when the workspace owner grants access to an API provider by creating an APIBinding.
The vulnerability poses a significant risk because it enables an attacker to create and delete objects even without the necessary permissions. As the advisory states: “With this vulnerability, it is possible for an attacker to create and delete objects even if none of these requirements are satisfied, i.e. even if there is no APIBinding in that workspace at all or the workspace owner has created an APIBinding, but rejected a permission claim“.
To address this vulnerability, fixes have been included in kcp versions 0.26.3 and 0.27.0. Users are strongly advised to upgrade to one of these patched versions.
For those unable to upgrade immediately, the advisory provides the following workarounds:
-
“Minimize the set of people with apiexport/content sub-resource access to APIExport resources“. It is emphasized that this measure must be applied to all workspaces to be effective.
-
“Filter incoming requests in a reverse proxy with a similar logic as the authorizer added in the referenced pull request“.
Related Posts:
- Google Patches Workspace Authentication Flaw, Thwarting Account Takeover Attempts
- CVE-2024-31461: Critical Vulnerability Found in Widely-Used Plane Project Management Software
- Plane Project Management Tool Patches Critical SSRF Flaw – CVE-2024-47830 (CVSS 9.3)
- Google Reveals Effingo: The Tech Behind Moving 1.2 Exabytes Daily
- Google Cloud Services Disrupted in UK Due to Power Outage
