Skip to main content

mcp-server-kubernetes EUVDEUVD-2026-36286

| CVE-2026-46519 HIGH
Incorrect Authorization (CWE-863)
2026-05-21 https://github.com/Flux159/mcp-server-kubernetes GHSA-cr22-wjx7-2w6m
8.8
CVSS 3.1 · Vendor: https://github.com/Flux159/mcp-server-kubernetes
Share

Severity by source

Vendor (https://github.com/Flux159/mcp-server-kubernetes) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (https://github.com/Flux159/mcp-server-kubernetes) · only source for this CVE.

CVSS VectorVendor: https://github.com/Flux159/mcp-server-kubernetes

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 21, 2026 - 21:30 vuln.today
Analysis Generated
May 21, 2026 - 21:30 vuln.today

DescriptionCVE.org

Summary

mcp-server-kubernetes exposes three environment variables (ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, ALLOWED_TOOLS) documented as access controls for restricting which Kubernetes operations are available. These controls are enforced at the tool discovery layer (tools/list) but not at the execution layer (tools/call). Any client that knows a tool name can invoke it directly regardless of the configured restriction mode. The access control was effectively cosmetic.

Fixed in v3.6.0.

Impact

An attacker or misconfigured AI agent with network access to the MCP server's HTTP endpoint could invoke any Kubernetes tool regardless of the restriction mode configured by the operator -- including kubectl_delete, exec_in_pod, kubectl_generic, and node_management.

The project explicitly supports and documents multi-client HTTP deployment scenarios (Streamable HTTP and SSE transports, in-cluster deployments, Codex CLI and Gemini CLI integrations). In these deployments, operators relied on the tool restriction env vars to enforce least-privilege access across users or roles. The bypass invalidated that model entirely.

Severity scales with the Kubernetes service account's permissions. In environments where the MCP server runs with cluster-admin (common in dev/staging), this is equivalent to full cluster compromise for any client that can reach the endpoint.

The MCP_AUTH_TOKEN / X-MCP-AUTH mechanism controls who can reach the endpoint but provides no per-tool authorization. An authenticated client restricted to ALLOWED_TOOLS=kubectl_get could still invoke kubectl_delete after authentication.

Root Cause

In src/index.ts, the ListToolsRequestSchema handler applied the configured filtering logic before returning available tools. The CallToolRequestSchema handler dispatched directly by tool name with no equivalent check -- every tool was reachable unconditionally.

Proof of Concept

Tested across all three restriction modes against a live kind cluster. In each case, kubectl_delete was absent from tools/list but executed successfully via a direct tools/call request:

shell
curl -s http://<HOST>:3003/mcp \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json, text/event-stream' \
  -d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"kubectl_delete","arguments":{"resourceType":"pod","name":"test-pod","namespace":"default"}}}'

Result: {"result":{"content":[{"type":"text","text":"pod \"test-pod\" deleted\n"}]}}

Confirmed across ALLOW_ONLY_READONLY_TOOLS=true, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS=true, and ALLOWED_TOOLS=kubectl_get.

Remediation

The fix applies the same filtering logic from ListToolsRequestSchema at the start of the CallToolRequestSchema handler, returning an error for any tool call outside the active allowed set. Fixed in v3.6.0.

Credit

Discovered by Francisco Rosales of Manifold Security, coordinated by Ax Sharma, Head of Research at Manifold Security.

AnalysisAI

Authorization bypass in mcp-server-kubernetes versions prior to 3.6.0 allows authenticated clients to invoke any Kubernetes tool - including destructive operations like kubectl_delete, exec_in_pod, and node_management - regardless of ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, or ALLOWED_TOOLS restrictions. The controls were enforced only at the tools/list discovery layer, leaving tools/call unguarded, which effectively reduces operator-configured least-privilege policies to cosmetic filters. Publicly available exploit code exists (a single curl invocation reproduces it), and in cluster-admin deployments the flaw is equivalent to full cluster compromise for any client reaching the endpoint.

Technical ContextAI

mcp-server-kubernetes is a Node.js/npm package implementing a Model Context Protocol (MCP) server that exposes kubectl-equivalent operations to LLM agents and CLI clients (Codex CLI, Gemini CLI) over Streamable HTTP and SSE transports. The defect is a classic CWE-863 (Incorrect Authorization): in src/index.ts, the ListToolsRequestSchema handler applies the env-var-driven filter, but the CallToolRequestSchema handler dispatches by tool name with no equivalent check - a textbook presentation-layer-only access control where the execution path trusts that the client only saw permitted tools. Because MCP tool names are well-known and documented, the filter provides no obscurity benefit. The MCP_AUTH_TOKEN/X-MCP-AUTH mechanism is a coarse endpoint gate and provides no per-tool authorization, so it does not mitigate the bypass once a client has authenticated.

RemediationAI

Vendor-released patch: upgrade mcp-server-kubernetes to 3.6.0 or later, which applies the ListToolsRequestSchema filter at the start of the CallToolRequestSchema handler and rejects calls outside the active allowed set; details at https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-cr22-wjx7-2w6m. Until upgrade is possible, restrict network access to the MCP HTTP endpoint (bind to localhost, use a NetworkPolicy, or front it with an authenticating proxy that enforces per-tool ACLs) and rotate MCP_AUTH_TOKEN to limit which clients can reach tools/call - note that token auth alone does not enforce ALLOWED_TOOLS, so this is containment, not a fix. Most importantly, replace any cluster-admin service account binding for the MCP server with a least-privilege Role/ClusterRole that grants only the verbs and resources operators intended to expose (e.g., get/list/watch for read-only deployments); this caps the blast radius of the bypass at the cost of breaking any tool that requires broader permissions, and should remain in place even after patching as defense in depth.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Vendor StatusVendor

SUSE

Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-36286 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy