CVE-2026-61459 in MCP Server Kubernetesinfo

Summary

by MITRE • 07/10/2026

MCP Server Kubernetes before 3.9.0 contains an argument injection vulnerability in structured tools (kubectl_get, kubectl_describe, kubectl_delete) that allows attackers to bypass the assertNoDangerousFlags security check by supplying resourceType and name parameters with leading dashes. Attackers can inject the --server flag to redirect kubectl commands to an attacker-controlled API server, causing the operator's bearer token to be transmitted externally and enabling full cluster compromise.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

This vulnerability exists within the MCP Server Kubernetes platform version 3.9.0 and earlier, specifically affecting the structured tools functionality including kubectl_get, kubectl_describe, and kubectl_delete commands. The core issue stems from improper input validation and sanitization of user-supplied parameters, creating an argument injection flaw that directly violates security best practices outlined in CWE-77 and CWE-94. Attackers can exploit this weakness by crafting malicious resourceType and name parameters that contain leading dashes, which are then passed directly to underlying kubectl commands without proper escaping or validation.

The technical exploitation occurs through the bypass of the assertNoDangerousFlags security mechanism, which is designed to prevent dangerous command-line arguments from being executed. When attackers supply parameters with leading dashes, these characters are interpreted as command-line flags by kubectl rather than as resource identifiers. This allows the injection of the --server flag, which redirects kubectl operations from the legitimate cluster API server to an attacker-controlled endpoint. The vulnerability leverages the fundamental principle that command-line arguments are not properly sanitized before being passed to system commands, creating a direct path for privilege escalation and unauthorized access.

The operational impact of this vulnerability is severe and potentially catastrophic for Kubernetes cluster security. When successful, attackers can intercept and exfiltrate the operator's bearer token, which serves as the primary authentication mechanism for cluster operations. This token compromise enables full administrative access to the targeted Kubernetes cluster, allowing attackers to deploy malicious workloads, modify cluster configurations, steal sensitive data, and potentially escalate their privileges to other connected systems within the network infrastructure. The attack vector aligns with ATT&CK technique T1566 which involves credential harvesting through manipulation of legitimate system processes.

Mitigation strategies must address both immediate defensive measures and long-term architectural improvements. Organizations should upgrade to MCP Server Kubernetes version 3.9.0 or later where this vulnerability has been resolved through proper input validation and argument sanitization. Additionally, implementing strict parameter validation at the application level to reject inputs containing leading dashes or other dangerous characters is critical. Network-level defenses such as egress filtering and API server access controls can provide additional protection layers. The fix should incorporate secure coding practices that prevent command injection vulnerabilities by using parameterized commands instead of string concatenation, aligning with industry standards for secure software development and addressing the specific security weaknesses identified in CWE-77 and CWE-94 categories.

Responsible

VulnCheck

Reservation

07/09/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!