CVE-2026-61459 in MCP Server Kubernetes
요약
\~에 의해 MITRE • 2026. 07. 10.
MCP Server Kubernetes before 3.9.0 contains an argument injection vulnerability in structured tools (kubectl_get, kubectl_describe, kubectl_delete) that allows attackers to bypass the assertNoDangerousFlags security check by supplying resourceType and name parameters with leading dashes. Attackers can inject the --server flag to redirect kubectl commands to an attacker-controlled API server, causing the operator's bearer token to be transmitted externally and enabling full cluster compromise.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.