CVE-2025-29922: Unauthorized Object Manipulation via APIExport in kcp Virtual Workspaces

Critical Authorization Flaw in kcp’s APIExport VirtualWorkspace

On March 20, 2025, a critical vulnerability identified as CVE-2025-29922 was disclosed in kcp, a Kubernetes-like control plane framework developed by kcp-dev. This flaw allows unauthorized users to create or delete objects across arbitrary workspaces via the APIExport VirtualWorkspace.

Understanding the Vulnerability

kcp provides flexible workspace-based API management for workloads beyond standard Kubernetes clusters. A core security mechanism involves workspace owners explicitly granting API access via an APIBinding.

However, due to improper authorization logic (categorized as CWE-285: Improper Authorization), any user with low privileges could exploit the APIExport VirtualWorkspace interface to:

• Create objects in any target workspace
• Delete existing resources in unauthorized workspaces

This could occur even when:

• No APIBinding exists in the target workspace
• The workspace owner explicitly rejected the permission claim

Effectively, this bypasses the entire access control model meant to protect kcp environments.

CVSS Score and Impact

The vulnerability has been assigned a CVSS v3.1 base score of 9.6 (CRITICAL), using the following vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Key factors contributing to this score include:

• Attack Vector: Network – can be exploited remotely
• Attack Complexity: Low – simple to execute
• Privileges Required: Low – minimal access required
• Scope: Changed – affects broader system beyond vulnerable component
• Confidentiality & Integrity Impact: High – unauthorized data manipulation is possible
• Availability Impact: None – system stability remains intact

Remediation

The issue has been patched in kcp versions 0.26.3 and 0.27.0. All users should:

• Upgrade to a patched version immediately
• Review and audit APIExport usage and bindings
• Validate workspace access configurations

There is currently no evidence of public exploitation, but the impact is severe if left unpatched.

References

• GitHub Security Advisory
• Relevant Pull Request
• Patch Commit

Conclusion

CVE-2025-29922 exposes a critical breakdown in authorization controls within kcp. Organizations relying on kcp for API-based service control should prioritize applying updates and verifying their permission models. This vulnerability highlights the importance of robust authorization enforcement in distributed systems.