Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Network-reachable indirect injection needs no privileges but requires an agent to ingest attacker content (UI:R); crossing into the Konnect API authority is S:C with C:H, and I:L reflects state-changing unintended API requests.
Primary rating from Vendor (Kong).
CVSS VectorVendor: Kong
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability exists in the Kong Konnect Model Context Protocol (MCP) server prior to version 1.0.0, which could allow a remote attacker to perform an indirect prompt injection attack and execute unintended API requests.
AnalysisAI
Indirect prompt injection in the Kong Konnect Model Context Protocol (MCP) server (konghq mcp-konnect) before version 1.0.0 allows a remote attacker to smuggle malicious instructions into content that an LLM agent processes, causing the agent to issue unintended Kong Konnect API requests. Because the injected instructions execute with the trust and credentials of the connected agent, an attacker can exfiltrate sensitive Konnect data or drive management API calls the operator never intended. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that an LLM/AI agent connected to the Kong mcp-konnect server (versions before 1.0.0) processes attacker-controlled content - this is the UI:R interaction in the CVSS vector: the injection is 'indirect,' so the attacker does not act directly but must get poisoned data into the agent's context (e.g., via a data source, API response, or resource the MCP server exposes). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N, base 7.4) indicates a network-reachable, low-complexity flaw needing no attacker privileges but requiring user/agent interaction (UI:R) - a victim agent must process the poisoned content for the injection to fire. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker plants crafted instructions inside data that a Konnect-connected AI agent will later read - for example a resource name, description, or upstream API response the mcp-konnect server surfaces to the model. When the agent processes that content, the hidden directives are interpreted as commands, causing the agent to issue unintended Konnect API requests such as reading sensitive configuration or altering managed resources. … |
| Remediation | Vendor-released patch: 1.0.0 - upgrade the Kong mcp-konnect MCP server to version 1.0.0 or later, per Kong advisory GHSA-7767-3m3w-2p44 (https://github.com/Kong/mcp-konnect/security/advisories/GHSA-7767-3m3w-2p44). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Kong Konnect MCP deployments and document LLM agent data sources; assess exposure to untrusted input. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41530
GHSA-6pr5-9p6v-xxrq