Is this vulnerability remotely exploitable?

It can be, depending on how the root shard is exposed. If the root shard or its cache server is reachable from outside a trusted boundary (e.g., over the internet or from untrusted networks), remote attackers could interact with the cache without any credentials. In more restricted environments, exploitation may be limited to internal or lateral attackers.

What level of access does an attacker need?

The attacker only needs network connectivity to the root shard's cache server endpoint. No authentication tokens, certificates, or Kubernetes credentials are required because the cache server does not enforce them.

What is the safest general fix pattern?

Place the cache server behind a properly authenticated and authorized interface. Ensure all cache operations go through components that enforce identity verification and fine-grained authorization rules, and avoid exposing the raw cache service directly on shared or untrusted networks.

Severity:

HIGH RISK

(8.2)

Missing Authentication and Authorization (CWE-302, CWE-862) on kcp Cache Server

CVE-2026-39429

Published:

Apr 8, 2026

Status:

Undergoing Analysis

Summary

Affected Context

Exploit Preconditions

Why This Happens

Potential Impact

General Mitigation Guidance

How Teams Detect Issues Like This

Frequently Asked Questions

Source

NDV

Recent Vulnerabilities

CWE-77;CWE-78

CRITICAL RISK

CRITICAL

(9.8)

OS Command Injection (CWE-78) in Totolink A7100RU CGI Handler setAccessDeviceCfg

Remote Code Execution on the Router

April 12, 2026

CWE-77;CWE-78

CRITICAL RISK

CRITICAL

(9.8)

OS Command Injection (CWE-78) in Totolink A7100RU CGI setLedCfg Handler

Remote Code Execution on the Router

April 12, 2026

Vulnerability Type

Category:

Missing Authentication and Authorization

CWE:

CWE-302;CWE-862

Impact:

Unauthorized Access and Data Tampering

Severity:

HIGH RISK

(8.2)

CVSS Version:

3.1

Vulnerability Type

Category:

Missing Authentication and Authorization

CWE:

CWE-302;CWE-862

Impact:

Unauthorized Access and Data Tampering

Severity:

HIGH RISK

(8.2)

CVSS Version:

3.1

Catch This CVE While Code Is Being Written

Detect vulnerable code directly in pull requests, so CVEs are fixed before merge.

Get Started

Ship clean & secure code faster

START 14 DAYS FREE TRIAL

BOOK A DEMO

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Missing Authentication and Authorization (CWE-302, CWE-862) on kcp Cache Server

Summary

Affected Context

Exploit Preconditions

Why This Happens

Potential Impact

General Mitigation Guidance

How Teams Detect Issues Like This

Frequently Asked Questions

Source

Recent Vulnerabilities

CRITICAL RISK

CRITICAL

(9.8)

OS Command Injection (CWE-78) in Totolink A7100RU CGI Handler setAccessDeviceCfg

CRITICAL RISK

CRITICAL

(9.8)

OS Command Injection (CWE-78) in Totolink A7100RU CGI setLedCfg Handler

Vulnerability Type

Vulnerability Type

Vulnerability Type

Catch This CVE While Code Is Being Written

Ship clean & secure code faster

Product

Pricing

Company

Legal

Developers

Compare

Product

Pricing

Company

Legal

Developers

Compare

Product

Pricing

Company

Legal

Developers

Compare