Kubernetes is a widely adopted platform providing container orchestration, enabling developers to build, deploy, and manage containerized applications with ease. kcp, on the other hand, is a Kubernetes-like control plane that extends the Kubernetes functionality for form-factors and use-cases which are beyond Kubernetes and container workloads.
Recently, a security vulnerability, CVE-2025-29922, has been identified in the kcp's APIExport VirtualWorkspace. This vulnerability allows an attacker to create or delete an object in any arbitrary target workspace for pre-existing resources, bypassing the standard authorization mechanisms. This post aims to provide an overview of the vulnerability details, exploit scenarios, and links to the original references along with the required recommendations.
The Vulnerability (CVE-2025-29922)
In kcp versions prior to .26.3, the identified vulnerability allows creating or deleting an object via the APIExport VirtualWorkspace in any arbitrary target workspace for pre-existing resources. By design, such actions should only be possible when the workspace owner decides to give access to an API provider by creating an APIBinding.
However, with this vulnerability, an attacker can create and delete objects even if none of these requirements are satisfied, i.e., even if there is no APIBinding in that workspace or the workspace owner has created an APIBinding, but rejected a permission claim.
Here's a code snippet that demonstrates the issue
apiVersion: core.example.com/v1
kind: APIExport
metadata:
name: vulnerable-object
spec:
workspaceRef:
name: target-workspace
reference:
apiVersion: v1
kind: ExistingResource
name: existing-resource-object
The code above demonstrates an attacker trying to create or delete an object in target-workspace without proper authorization.
Exploit Scenarios
With this vulnerability, an attacker can gain unauthorized access to any workspace, leading to the following exploit scenarios:
Creating and deleting objects without explicit access granted by the workspace owner.
2. Spoofing as a legitimate user with the ability to create and delete objects in workspaces that they do not have access to.
Recommendations and Fixes
A fix for this vulnerability has been identified and published in kcp versions .26.3 and .27.. Users of kcp should update their installations to one of these patched versions in order to be protected from potential exploitation of this issue.
Original References
1. kcp GitHub Repository: https://github.com/kcp-dev/kcp
2. kcp Release Notes .26.3: https://github.com/kcp-dev/kcp/releases/tag/v.26.3
3. kcp Release Notes .27.: https://github.com/kcp-dev/kcp/releases/tag/v.27.
Conclusion
This post provided an overview of the CVE-2025-29922 vulnerability in kcp's APIExport VirtualWorkspace, which allows unauthorized object creation and deletion. It is crucial for kcp users to update their installations to versions .26.3 or .27. in order to mitigate the risk posed by this security vulnerability. By staying vigilant and proactive in addressing these issues, users can continue to ensure the security robustness of their systems and protect their valuable data.
Timeline
Published on: 03/20/2025 18:15:19 UTC