Description
mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.6.0, mcp-server-kubernetes exposes three environment variables (ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, ALLOWED_TOOLS) documented as access controls for restricting which Kubernetes operations are available. These controls are enforced at the tool discovery layer (tools/list) but not at the execution layer (tools/call). Any client that knows a tool name can invoke it directly regardless of the configured restriction mode. The access control was effectively cosmetic. This issue has been patched in version 3.6.0.
Published: 2026-06-11
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

mcp‑server‑kubernetes is a Model Context Protocol server that manages Kubernetes clusters. Before version 3.6.0 it exposed three environment variables (ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, ALLOWED_TOOLS) as access‑control settings that were only enforced when listing available tools. The execution layer (tools/call) did not enforce these variables, allowing any client that knew a tool name to invoke it regardless of the restrictions. The access‑control checks were therefore cosmetic, and an attacker could run any tool and perform prohibited or destructive Kubernetes actions. The vulnerability was identified as a tool‑level access‑control bypass (CWE‑863) and has been patched in mcp‑server‑kubernetes v3.6.0.

Affected Systems

All versions of mcp‑server‑kubernetes prior to 3.6.0, including 3.5.x and earlier releases, are affected. The product is distributed by Flux159. No specific version range is listed beyond 3.6.0, so any deployment running a version older than 3.6.0 should be considered vulnerable.

Risk and Exploitability

The vulnerability was scored 8.8 on CVSS, indicating a high severity condition; the EPSS score is not available, making the exploitation likelihood unclear, and it is not yet in the CISA KEV catalog. Based on the description, the likely attack vector is a remote client able to call the tools/call endpoint. The absence of enforcement at this layer means that unauthenticated or victimized clients can trigger restricted tools, potentially causing loss of confidentiality, integrity, or availability of the cluster.

Generated by OpenCVE AI on June 11, 2026 at 22:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade mcp‑server‑kubernetes to version 3.6.0 or newer.
  • After upgrade, verify that tool execution now respects the environment variable restrictions.
  • Restrict network exposure of the mcp‑server‑kubernetes API to trusted hosts and enforce authentication.
  • Monitor logs for unexpected tool invocations to detect any residual misuse.

Generated by OpenCVE AI on June 11, 2026 at 22:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cr22-wjx7-2w6m MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement
History

Thu, 11 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Flux159
Flux159 mcp-server-kubernetes
Vendors & Products Flux159
Flux159 mcp-server-kubernetes

Thu, 11 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.6.0, mcp-server-kubernetes exposes three environment variables (ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, ALLOWED_TOOLS) documented as access controls for restricting which Kubernetes operations are available. These controls are enforced at the tool discovery layer (tools/list) but not at the execution layer (tools/call). Any client that knows a tool name can invoke it directly regardless of the configured restriction mode. The access control was effectively cosmetic. This issue has been patched in version 3.6.0.
Title mcp-server-kubernetes Affected By Tool Access Control Bypass: Presentation-Layer Filtering Without Execution-Layer Enforcement
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Flux159 Mcp-server-kubernetes
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T19:40:22.771Z

Reserved: 2026-05-14T19:12:32.755Z

Link: CVE-2026-46519

cve-icon Vulnrichment

Updated: 2026-06-11T19:40:09.332Z

cve-icon NVD

Status : Deferred

Published: 2026-06-11T19:16:42.213

Modified: 2026-06-11T21:01:26.377

Link: CVE-2026-46519

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T22:15:09Z

Weaknesses