CVE-2025-29922 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2025-29922 Interim 1 4 2026-03-05T01:10:26Z current 2025-03-30T00:11:55Z 2026-03-05T01:10:26Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2025-29922 kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.26.3, the identified vulnerability allows creating or deleting an object via the APIExport VirtualWorkspace in any arbitrary target workspace for pre-existing resources. By design, this should only be allowed when the workspace owner decides to give access to an API provider by creating an APIBinding. With this vulnerability, it is possible for an attacker to create and delete objects even if none of these requirements are satisfied, i.e. even if there is no APIBinding in that workspace at all or the workspace owner has created an APIBinding, but rejected a permission claim. A fix for this issue has been identified and has been published with kcp 0.26.3 and 0.27.0. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ E-Mail link for openSUSE-SU-2025:14937-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-EC2 SUSE Linux Enterprise Server 16.0 openSUSE Tumbleweed cloud-init-25.1.3-slfo.1.1_1.1 cloud-init-config-suse-25.1.3-slfo.1.1_1.1 govulncheck-vulndb-0.0.20250327T184518-1.1 govulncheck-vulndb-0.0.20250814T182633-160000.1.2 cloud-init-25.1.3-slfo.1.1_1.1 as a component of Image SLE-Micro cloud-init-config-suse-25.1.3-slfo.1.1_1.1 as a component of Image SLE-Micro cloud-init-25.1.3-slfo.1.1_1.1 as a component of Image SLE-Micro-Azure cloud-init-config-suse-25.1.3-slfo.1.1_1.1 as a component of Image SLE-Micro-Azure cloud-init-25.1.3-slfo.1.1_1.1 as a component of Image SLE-Micro-BYOS cloud-init-config-suse-25.1.3-slfo.1.1_1.1 as a component of Image SLE-Micro-BYOS cloud-init-25.1.3-slfo.1.1_1.1 as a component of Image SLE-Micro-BYOS-Azure cloud-init-config-suse-25.1.3-slfo.1.1_1.1 as a component of Image SLE-Micro-BYOS-Azure cloud-init-25.1.3-slfo.1.1_1.1 as a component of Image SLE-Micro-BYOS-EC2 cloud-init-config-suse-25.1.3-slfo.1.1_1.1 as a component of Image SLE-Micro-BYOS-EC2 cloud-init-25.1.3-slfo.1.1_1.1 as a component of Image SLE-Micro-EC2 cloud-init-config-suse-25.1.3-slfo.1.1_1.1 as a component of Image SLE-Micro-EC2 govulncheck-vulndb-0.0.20250814T182633-160000.1.2 as a component of SUSE Linux Enterprise Server 16.0 govulncheck-vulndb-0.0.20250327T184518-1.1 as a component of openSUSE Tumbleweed kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.26.3, the identified vulnerability allows creating or deleting an object via the APIExport VirtualWorkspace in any arbitrary target workspace for pre-existing resources. By design, this should only be allowed when the workspace owner decides to give access to an API provider by creating an APIBinding. With this vulnerability, it is possible for an attacker to create and delete objects even if none of these requirements are satisfied, i.e. even if there is no APIBinding in that workspace at all or the workspace owner has created an APIBinding, but rejected a permission claim. A fix for this issue has been identified and has been published with kcp 0.26.3 and 0.27.0. CVE-2025-29922 Image SLE-Micro:cloud-init-25.1.3-slfo.1.1_1.1 Image SLE-Micro:cloud-init-config-suse-25.1.3-slfo.1.1_1.1 Image SLE-Micro-Azure:cloud-init-25.1.3-slfo.1.1_1.1 Image SLE-Micro-Azure:cloud-init-config-suse-25.1.3-slfo.1.1_1.1 Image SLE-Micro-BYOS:cloud-init-25.1.3-slfo.1.1_1.1 Image SLE-Micro-BYOS:cloud-init-config-suse-25.1.3-slfo.1.1_1.1 Image SLE-Micro-BYOS-Azure:cloud-init-25.1.3-slfo.1.1_1.1 Image SLE-Micro-BYOS-Azure:cloud-init-config-suse-25.1.3-slfo.1.1_1.1 Image SLE-Micro-BYOS-EC2:cloud-init-25.1.3-slfo.1.1_1.1 Image SLE-Micro-BYOS-EC2:cloud-init-config-suse-25.1.3-slfo.1.1_1.1 Image SLE-Micro-EC2:cloud-init-25.1.3-slfo.1.1_1.1 Image SLE-Micro-EC2:cloud-init-config-suse-25.1.3-slfo.1.1_1.1 SUSE Linux Enterprise Server 16.0:govulncheck-vulndb-0.0.20250814T182633-160000.1.2 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 critical