x/vulndb: potential Go vuln in github.com/kcp-dev/kcp: GHSA-q6hv-wcjr-wp8h

Advisory [GHSA-q6hv-wcjr-wp8h](https://github.com/advisories/GHSA-q6hv-wcjr-wp8h) references a vulnerability in the following Go modules:

| Module |
| - |
| [github.com/kcp-dev/kcp](https://pkg.go.dev/github.com/kcp-dev/kcp) |

Description:
### Impact

Because UPDATE validation is not being applied, it is possible for an actor with access to an instance of the [initializingworkspaces virtual workspace](https://docs.kcp.io/kcp/latest/concepts/workspaces/workspace-initialization/) to run arbitrary patches on the status field of `LogicalCluster` objects while the workspace is initializing.

This allows to add or remove any initializers as well as changing the phase of a `LogicalCluster` (to "Ready" for example).

As this effectively allows to skip certain initializers or the entire initialization phase, potential integrations with e...

References:
- ADVISORY: https://github.com/advisories/GHSA-q6hv-wcjr-wp8h
- ADVISORY: https://github.com/kcp-dev/kcp/security/advisories/GHSA-q6hv-wcjr-wp8h
- FIX: https://github.com/kcp-dev/kcp/commit/02134a2a51d33652ab288cccd7a13539b59c7584
- FIX: https://github.com/kcp-dev/kcp/pull/3599
- WEB: https://github.com/kcp-dev/kcp/releases/tag/v0.28.3

Cross references:
- github.com/kcp-dev/kcp appears in 2 other report(s):
  - data/reports/GO-2024-3325.yaml    (https://github.com/golang/vulndb/issues/3325)
  - data/reports/GO-2025-3538.yaml    (https://github.com/golang/vulndb/issues/3538)

See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.

```
id: GO-ID-PENDING
modules:
    - module: github.com/kcp-dev/kcp
      non_go_versions:
        - introduced: TODO (earliest fixed "0.28.3", vuln range "<= 0.28.1")
      vulnerable_at: 0.28.3
summary: |-
    kcp is missing update validation allows arbitrary LogicalCluster status patches
    through initializingworkspaces Virtual Workspace in github.com/kcp-dev/kcp
ghsas:
    - GHSA-q6hv-wcjr-wp8h
references:
    - advisory: https://github.com/advisories/GHSA-q6hv-wcjr-wp8h
    - advisory: https://github.com/kcp-dev/kcp/security/advisories/GHSA-q6hv-wcjr-wp8h
    - fix: https://github.com/kcp-dev/kcp/commit/02134a2a51d33652ab288cccd7a13539b59c7584
    - fix: https://github.com/kcp-dev/kcp/pull/3599
    - web: https://github.com/kcp-dev/kcp/releases/tag/v0.28.3
source:
    id: GHSA-q6hv-wcjr-wp8h
    created: 2025-09-26T15:01:26.934542827Z
review_status: UNREVIEWED

```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

x/vulndb: potential Go vuln in github.com/kcp-dev/kcp: GHSA-q6hv-wcjr-wp8h #3985

Impact

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

x/vulndb: potential Go vuln in github.com/kcp-dev/kcp: GHSA-q6hv-wcjr-wp8h #3985

Description

Impact

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions