๐Ÿ” CVE Alert

CVE-2026-61459

CRITICAL 9.8

MCP Server Kubernetes < 3.9.0 Argument Injection via kubectl Structured Tools

CVSS Score
9.8
EPSS Score
0.4%
EPSS Percentile
34th

MCP Server Kubernetes before 3.9.0 contains an argument injection vulnerability in structured tools (kubectl_get, kubectl_describe, kubectl_delete) that allows attackers to bypass the assertNoDangerousFlags security check by supplying resourceType and name parameters with leading dashes. Attackers can inject the --server flag to redirect kubectl commands to an attacker-controlled API server, causing the operator's bearer token to be transmitted externally and enabling full cluster compromise.

CWE CWE-88
Vendor flux159
Product mcp-server-kubernetes
Published Jul 10, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for flux159 mcp-server-kubernetes

Be the first to know when new critical vulnerabilities affecting flux159 mcp-server-kubernetes are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

Flux159 / mcp-server-kubernetes
0 < 3.9.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/Flux159/mcp-server-kubernetes/releases/tag/3.9.0 github.com: https://github.com/Flux159/mcp-server-kubernetes/issues/328 github.com: https://github.com/Flux159/mcp-server-kubernetes/pull/329 github.com: https://github.com/Flux159/mcp-server-kubernetes/commit/d7890f50a4567bf5d9842541ba6f41e180227f9a vulncheck.com: https://www.vulncheck.com/advisories/mcp-server-kubernetes-argument-injection-via-kubectl-structured-tools

Credits

George Chen