Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (https://github.com/Flux159/mcp-server-kubernetes) · only source for this CVE.
CVSS VectorVendor: https://github.com/Flux159/mcp-server-kubernetes
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Summary
mcp-server-kubernetes exposes three environment variables (ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, ALLOWED_TOOLS) documented as access controls for restricting which Kubernetes operations are available. These controls are enforced at the tool discovery layer (tools/list) but not at the execution layer (tools/call). Any client that knows a tool name can invoke it directly regardless of the configured restriction mode. The access control was effectively cosmetic.
Fixed in v3.6.0.
Impact
An attacker or misconfigured AI agent with network access to the MCP server's HTTP endpoint could invoke any Kubernetes tool regardless of the restriction mode configured by the operator -- including kubectl_delete, exec_in_pod, kubectl_generic, and node_management.
The project explicitly supports and documents multi-client HTTP deployment scenarios (Streamable HTTP and SSE transports, in-cluster deployments, Codex CLI and Gemini CLI integrations). In these deployments, operators relied on the tool restriction env vars to enforce least-privilege access across users or roles. The bypass invalidated that model entirely.
Severity scales with the Kubernetes service account's permissions. In environments where the MCP server runs with cluster-admin (common in dev/staging), this is equivalent to full cluster compromise for any client that can reach the endpoint.
The MCP_AUTH_TOKEN / X-MCP-AUTH mechanism controls who can reach the endpoint but provides no per-tool authorization. An authenticated client restricted to ALLOWED_TOOLS=kubectl_get could still invoke kubectl_delete after authentication.
Root Cause
In src/index.ts, the ListToolsRequestSchema handler applied the configured filtering logic before returning available tools. The CallToolRequestSchema handler dispatched directly by tool name with no equivalent check -- every tool was reachable unconditionally.
Proof of Concept
Tested across all three restriction modes against a live kind cluster. In each case, kubectl_delete was absent from tools/list but executed successfully via a direct tools/call request:
curl -s http://<HOST>:3003/mcp \
-H 'Content-Type: application/json' \
-H 'Accept: application/json, text/event-stream' \
-d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"kubectl_delete","arguments":{"resourceType":"pod","name":"test-pod","namespace":"default"}}}'Result: {"result":{"content":[{"type":"text","text":"pod \"test-pod\" deleted\n"}]}}
Confirmed across ALLOW_ONLY_READONLY_TOOLS=true, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS=true, and ALLOWED_TOOLS=kubectl_get.
Remediation
The fix applies the same filtering logic from ListToolsRequestSchema at the start of the CallToolRequestSchema handler, returning an error for any tool call outside the active allowed set. Fixed in v3.6.0.
Credit
Discovered by Francisco Rosales of Manifold Security, coordinated by Ax Sharma, Head of Research at Manifold Security.
AnalysisAI
Authorization bypass in mcp-server-kubernetes versions prior to 3.6.0 allows authenticated clients to invoke any Kubernetes tool - including destructive operations like kubectl_delete, exec_in_pod, and node_management - regardless of ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, or ALLOWED_TOOLS restrictions. The controls were enforced only at the tools/list discovery layer, leaving tools/call unguarded, which effectively reduces operator-configured least-privilege policies to cosmetic filters. Publicly available exploit code exists (a single curl invocation reproduces it), and in cluster-admin deployments the flaw is equivalent to full cluster compromise for any client reaching the endpoint.
Technical ContextAI
mcp-server-kubernetes is a Node.js/npm package implementing a Model Context Protocol (MCP) server that exposes kubectl-equivalent operations to LLM agents and CLI clients (Codex CLI, Gemini CLI) over Streamable HTTP and SSE transports. The defect is a classic CWE-863 (Incorrect Authorization): in src/index.ts, the ListToolsRequestSchema handler applies the env-var-driven filter, but the CallToolRequestSchema handler dispatches by tool name with no equivalent check - a textbook presentation-layer-only access control where the execution path trusts that the client only saw permitted tools. Because MCP tool names are well-known and documented, the filter provides no obscurity benefit. The MCP_AUTH_TOKEN/X-MCP-AUTH mechanism is a coarse endpoint gate and provides no per-tool authorization, so it does not mitigate the bypass once a client has authenticated.
RemediationAI
Vendor-released patch: upgrade mcp-server-kubernetes to 3.6.0 or later, which applies the ListToolsRequestSchema filter at the start of the CallToolRequestSchema handler and rejects calls outside the active allowed set; details at https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-cr22-wjx7-2w6m. Until upgrade is possible, restrict network access to the MCP HTTP endpoint (bind to localhost, use a NetworkPolicy, or front it with an authenticating proxy that enforces per-tool ACLs) and rotate MCP_AUTH_TOKEN to limit which clients can reach tools/call - note that token auth alone does not enforce ALLOWED_TOOLS, so this is containment, not a fix. Most importantly, replace any cluster-admin service account binding for the MCP server with a least-privilege Role/ClusterRole that grants only the verbs and resources operators intended to expose (e.g., get/list/watch for read-only deployments); this caps the blast radius of the bypass at the cost of breaking any tool that requires broader permissions, and should remain in place even after patching as defense in depth.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36286
GHSA-cr22-wjx7-2w6m