Security: kcp-dev/kcp
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
kcp front-proxy does not strip inbound X-Remote-* identity headers, allowing any authenticated client to inject groups/warrants and impersonate system:masters in any workspaceGHSA-c8w2-fgvx-vhv4 published
Jun 29, 2026 by mjudeikisCritical -
Cache server is accessible without authentication or authorization checksGHSA-3j3q-wp9x-585p published
Apr 7, 2026 by mjudeikisHigh -
Missing update validation allows arbitrary LogicalCluster status patches through initializingworkspaces Virtual WorkspaceGHSA-q6hv-wcjr-wp8h published
Sep 26, 2025 by embikLow -
Unauthorized creation and deletion of objects in arbitrary workspaces through APIExport Virtual WorkspaceGHSA-w2rr-38wv-8rrp published
Mar 20, 2025 by embikCritical -
Impersonation allows access to global administrative groupsGHSA-c7xh-gjv4-4jgv published
Dec 11, 2024 by embikModerate