Skip to main content

Kong mcp-konnect CVE-2026-13341

| EUVDEUVD-2026-41530 HIGH
Improper Input Validation (CWE-20)
2026-07-03 Kong GHSA-6pr5-9p6v-xxrq
7.4
CVSS 3.1 · Vendor: Kong
Share

Severity by source

Vendor (Kong) PRIMARY
7.4 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
vuln.today AI
8.2 HIGH

Network-reachable indirect injection needs no privileges but requires an agent to ingest attacker content (UI:R); crossing into the Konnect API authority is S:C with C:H, and I:L reflects state-changing unintended API requests.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:L/SA:N

Primary rating from Vendor (Kong).

CVSS VectorVendor: Kong

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jul 03, 2026 - 12:01 EUVD
Analysis Generated
Jul 03, 2026 - 11:16 vuln.today

DescriptionCVE.org

A vulnerability exists in the Kong Konnect Model Context Protocol (MCP) server prior to version 1.0.0, which could allow a remote attacker to perform an indirect prompt injection attack and execute unintended API requests.

AnalysisAI

Indirect prompt injection in the Kong Konnect Model Context Protocol (MCP) server (konghq mcp-konnect) before version 1.0.0 allows a remote attacker to smuggle malicious instructions into content that an LLM agent processes, causing the agent to issue unintended Kong Konnect API requests. Because the injected instructions execute with the trust and credentials of the connected agent, an attacker can exfiltrate sensitive Konnect data or drive management API calls the operator never intended. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Plant malicious instructions in agent-readable data
Delivery
Agent ingests poisoned content via mcp-konnect
Exploit
Injected text interpreted as instructions
Execution
Agent issues unintended Konnect API requests
Impact
Sensitive data disclosed or resources manipulated

Vulnerability AssessmentAI

Exploitation Exploitation requires that an LLM/AI agent connected to the Kong mcp-konnect server (versions before 1.0.0) processes attacker-controlled content - this is the UI:R interaction in the CVSS vector: the injection is 'indirect,' so the attacker does not act directly but must get poisoned data into the agent's context (e.g., via a data source, API response, or resource the MCP server exposes). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N, base 7.4) indicates a network-reachable, low-complexity flaw needing no attacker privileges but requiring user/agent interaction (UI:R) - a victim agent must process the poisoned content for the injection to fire. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker plants crafted instructions inside data that a Konnect-connected AI agent will later read - for example a resource name, description, or upstream API response the mcp-konnect server surfaces to the model. When the agent processes that content, the hidden directives are interpreted as commands, causing the agent to issue unintended Konnect API requests such as reading sensitive configuration or altering managed resources. …
Remediation Vendor-released patch: 1.0.0 - upgrade the Kong mcp-konnect MCP server to version 1.0.0 or later, per Kong advisory GHSA-7767-3m3w-2p44 (https://github.com/Kong/mcp-konnect/security/advisories/GHSA-7767-3m3w-2p44). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Kong Konnect MCP deployments and document LLM agent data sources; assess exposure to untrusted input. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13341 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy