CVE-2026-13341

KongHQ · mcp-konnect

A vulnerability in the Kong Konnect Model Context Protocol (MCP) server allows for improper input validation, potentially leading to security impacts.

Executive summary

An improper input validation vulnerability in the Kong Konnect MCP server poses a high risk to data confidentiality for affected deployments.

Vulnerability

The software suffers from improper input validation (CWE-20). Given the CVSS vector includes User Interaction Required (UI:R) and Network access (AV:N), this flaw likely facilitates unauthenticated, remote exploitation by an attacker sending malicious inputs to the server.

Business impact

With a CVSS score of 7.4, this vulnerability represents a significant risk to organizational data. Successful exploitation could lead to unauthorized access to sensitive context information handled by the MCP server, potentially resulting in data leaks or unauthorized data exposure. The impact is elevated by the potential for cross-site or cross-context scenarios, which could disrupt service integrity and trust in the Konnect platform.

Remediation

Immediate Action: Upgrade to version 1.0.0 or the latest available release as specified by the vendor security advisory.

Proactive Monitoring: Review server access logs for anomalous request patterns or unexpected input payloads directed at the MCP endpoint.

Compensating Controls: Implement a Web Application Firewall (WAF) with strict input validation rules to filter out malformed or suspicious requests before they reach the MCP server.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The vulnerability requires immediate attention to prevent unauthorized data access. Administrators should prioritize upgrading the Kong Konnect MCP server to the patched version 1.0.0 to eliminate the input validation flaw entirely.