GHSA-Q6HV-WCJR-WP8H
Vulnerability from github – Published: 2025-09-26 15:00 – Updated: 2025-10-23 20:15Impact
Because UPDATE validation is not being applied, it is possible for an actor with access to an instance of the initializingworkspaces virtual workspace to run arbitrary patches on the status field of LogicalCluster objects while the workspace is initializing.
This allows to add or remove any initializers as well as changing the phase of a LogicalCluster (to "Ready" for example).
As this effectively allows to skip certain initializers or the entire initialization phase, potential integrations with external systems such as billing or security could be affected. Their initializers could be skipped by a WorkspaceType that adds another initializer and grants permissions to the virtual workspace to a rogue or compromised entity.
Who is impacted?
- Impacts other owners of
WorkspaceTypeswith initializers that are inherited by otherWorkspaceTypes. - Impacts developers using the
virtual/frameworkpackage to create their own virtualworkspaces if they are using UpdateFuncs in their custom storageWrappers.
Details
The issue occurs because the rest.ValidateObjectUpdateFunc is not being called within the DefaultDynamicDelegatedStoreFuncs. As a result, the intended status overwrite protection from initializers never gets called, allowing arbitrary logicalcluster status patches.
Patches
The problem has been patched in #3599 and is available in kcp 0.28.3 and higher.
Workarounds
- Further limit access to the
initializeverb onWorkspaceTypeobjects (see documentation for details). - Only use trusted
WorkspaceTypeobjects.
References
See the pull request (#3599).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.28.1"
},
"package": {
"ecosystem": "Go",
"name": "github.com/kcp-dev/kcp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.28.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-285"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-26T15:00:19Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Impact\n\nBecause UPDATE validation is not being applied, it is possible for an actor with access to an instance of the [initializingworkspaces virtual workspace](https://docs.kcp.io/kcp/latest/concepts/workspaces/workspace-initialization/) to run arbitrary patches on the status field of `LogicalCluster` objects while the workspace is initializing.\n\nThis allows to add or remove any initializers as well as changing the phase of a `LogicalCluster` (to \"Ready\" for example).\n\nAs this effectively allows to skip certain initializers or the entire initialization phase, potential integrations with external systems such as billing or security could be affected. Their initializers could be skipped by a `WorkspaceType` that adds another initializer and grants permissions to the virtual workspace to a rogue or compromised entity.\n\n_Who is impacted?_\n\n* Impacts other owners of `WorkspaceTypes` with initializers that are inherited by other `WorkspaceTypes`.\n* Impacts developers using the `virtual/framework` package to create their own virtualworkspaces if they are using UpdateFuncs in their custom storageWrappers.\n\n### Details\n\nThe issue occurs because the [rest.ValidateObjectUpdateFunc](https://github.com/kcp-dev/kcp/blob/cli/v0.28.1/pkg/virtual/framework/forwardingregistry/store.go#L174) is not being called within the DefaultDynamicDelegatedStoreFuncs. As a result, the intended status overwrite protection from initializers never gets called, allowing arbitrary logicalcluster status patches.\n\n### Patches\n\nThe problem has been patched in #3599 and is available in kcp 0.28.3 and higher.\n\n### Workarounds\n\n- Further limit access to the `initialize` verb on `WorkspaceType` objects (see [documentation](https://docs.kcp.io/kcp/v0.28/concepts/workspaces/workspace-initialization/#enforcing-permissions-for-initializers) for details).\n- Only use trusted `WorkspaceType` objects.\n\n### References\n\nSee the pull request (#3599).",
"id": "GHSA-q6hv-wcjr-wp8h",
"modified": "2025-10-23T20:15:01Z",
"published": "2025-09-26T15:00:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kcp-dev/kcp/security/advisories/GHSA-q6hv-wcjr-wp8h"
},
{
"type": "WEB",
"url": "https://github.com/kcp-dev/kcp/pull/3599"
},
{
"type": "WEB",
"url": "https://github.com/kcp-dev/kcp/commit/02134a2a51d33652ab288cccd7a13539b59c7584"
},
{
"type": "PACKAGE",
"url": "https://github.com/kcp-dev/kcp"
},
{
"type": "WEB",
"url": "https://github.com/kcp-dev/kcp/releases/tag/v0.28.3"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3985"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "kcp is missing update validation allows arbitrary LogicalCluster status patches through initializingworkspaces Virtual Workspace"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.