Description
mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Versions 3.4.0 and prior contain an argument injection vulnerability in the port_forward tool in src/tools/port_forward.ts, where a kubectl command is constructed via string concatenation with user-controlled input and then naively split on spaces before being passed to spawn(). Unlike all other tools in the codebase which correctly use array-based argument passing with execFileSync(), port_forward treats every space in user-controlled fields (namespace, resourceType, resourceName, localPort, targetPort) as an argument boundary, allowing an attacker to inject arbitrary kubectl flags. This enables exposure of internal Kubernetes services to the network by injecting --address=0.0.0.0, cross-namespace targeting by injecting additional -n flags, and indirect exploitation via prompt injection against AI agents connected to the MCP server. This issue has been fixed in version 3.5.0.
Published: 2026-04-14
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Exposure of Internal Kubernetes Services
Action: Patch
AI Analysis

Impact

The vulnerability is an argument injection flaw in the port_forward tool of mcp-server-kubernetes. The code builds a kubectl command using string concatenation with user-supplied fields and naively splits the resulting string on spaces before passing it to spawn(). Each user-controlled space is treated as an argument boundary, allowing an attacker to inject arbitrary kubectl flags. This enables exposure of internal Kubernetes services to the network, cross-namespace targeting by injecting additional -n flags, and potential indirect exploitation via prompt injection against AI agents connected to the MCP server. The weakness is identified as CWE‑88 (Argument Injection).

Affected Systems

The affected product is Flux159's mcp-server-kubernetes. Versions 3.4.0 and earlier are vulnerable, as indicated by the advisory. A patch in version 3.5.0 addresses the flaw.

Risk and Exploitability

The CVSS score of 8.3 marks this as high. The EPSS score is not available, but the advisory notes that the issue can be exploited by supplying crafted arguments to the port_forward tool, which may be remotely accessible or available to privileged users. The vulnerability is not currently listed in the CISA KEV catalog, and no public exploit has been reported. Attackers would need to target the MCP server’s port_forward endpoint and provide malicious input; if the endpoint is exposed to untrusted users, the risk of internal service exposure is significant.

Generated by OpenCVE AI on April 15, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade mcp-server-kubernetes to version 3.5.0 or newer.
  • If an upgrade is not immediately possible, restrict access to the port_forward endpoint so that only trusted administrators can invoke it.
  • Validate all user input for namespace, resourceType, resourceName, localPort, and targetPort prior to constructing the kubectl command, rejecting any arguments that contain spaces or disallowed characters.

Generated by OpenCVE AI on April 15, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4xqg-gf5c-ghwq MCP Server Kubernetes has an Argument Injection in port_forward tool via space-splitting
History

Wed, 15 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Flux159
Flux159 mcp-server-kubernetes
Vendors & Products Flux159
Flux159 mcp-server-kubernetes

Tue, 14 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Versions 3.4.0 and prior contain an argument injection vulnerability in the port_forward tool in src/tools/port_forward.ts, where a kubectl command is constructed via string concatenation with user-controlled input and then naively split on spaces before being passed to spawn(). Unlike all other tools in the codebase which correctly use array-based argument passing with execFileSync(), port_forward treats every space in user-controlled fields (namespace, resourceType, resourceName, localPort, targetPort) as an argument boundary, allowing an attacker to inject arbitrary kubectl flags. This enables exposure of internal Kubernetes services to the network by injecting --address=0.0.0.0, cross-namespace targeting by injecting additional -n flags, and indirect exploitation via prompt injection against AI agents connected to the MCP server. This issue has been fixed in version 3.5.0.
Title MCP Server Kubernetes has Argument Injection in its port_forward tool via space-splitting
Weaknesses CWE-88
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Flux159 Mcp-server-kubernetes
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T16:13:59.605Z

Reserved: 2026-04-07T20:32:03.010Z

Link: CVE-2026-39884

cve-icon Vulnrichment

Updated: 2026-04-15T16:04:59.413Z

cve-icon NVD

Status : Received

Published: 2026-04-15T04:17:37.097

Modified: 2026-04-15T17:17:04.943

Link: CVE-2026-39884

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:28:41Z

Weaknesses