Impact
mcp‑server‑kubernetes is a Model Context Protocol server that manages Kubernetes clusters. Before version 3.6.0 it exposed three environment variables (ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, ALLOWED_TOOLS) as access‑control settings that were only enforced when listing available tools. The execution layer (tools/call) did not enforce these variables, allowing any client that knew a tool name to invoke it regardless of the restrictions. The access‑control checks were therefore cosmetic, and an attacker could run any tool and perform prohibited or destructive Kubernetes actions. The vulnerability was identified as a tool‑level access‑control bypass (CWE‑863) and has been patched in mcp‑server‑kubernetes v3.6.0.
Affected Systems
All versions of mcp‑server‑kubernetes prior to 3.6.0, including 3.5.x and earlier releases, are affected. The product is distributed by Flux159. No specific version range is listed beyond 3.6.0, so any deployment running a version older than 3.6.0 should be considered vulnerable.
Risk and Exploitability
The vulnerability was scored 8.8 on CVSS, indicating a high severity condition; the EPSS score is not available, making the exploitation likelihood unclear, and it is not yet in the CISA KEV catalog. Based on the description, the likely attack vector is a remote client able to call the tools/call endpoint. The absence of enforcement at this layer means that unauthenticated or victimized clients can trigger restricted tools, potentially causing loss of confidentiality, integrity, or availability of the cluster.
OpenCVE Enrichment
Github GHSA