A high-severity vulnerability (CVE-2025-29922, CVSS 9.6) has been discovered in the kcp project, a multi-tenant Kubernetes-like control plane. The flaw allows unauthorized users to create and delete objects in arbitrary workspaces through the APIExport Virtual Workspace, bypassing permission requirements. This breaks the expected security model, which mandates explicit APIBinding authorization by workspace owners.

‍