CVE-2026-61459
Flux159 · mcp-server-kubernetes
Flux159 mcp-server-kubernetes before 3.9.0 is susceptible to argument injection, allowing attackers to redirect kubectl commands and steal bearer tokens, leading to cluster compromise.
Executive summary
A critical argument injection vulnerability in Flux159 mcp-server-kubernetes allows unauthenticated attackers to compromise entire Kubernetes clusters by stealing bearer tokens.
Vulnerability
The application fails to properly neutralize argument delimiters in tools like kubectl_get and kubectl_describe. By injecting leading dashes and the --server flag, an unauthenticated attacker can force the operator to communicate with an external, malicious API server.
Business impact
With a CVSS score of 9.8, this flaw enables full cluster takeover. By intercepting the operator’s bearer token, an attacker gains the permissions of the service account running the server, potentially leading to unauthorized data access, lateral movement, and total control over the orchestrated environment.
Remediation
Immediate Action: Update mcp-server-kubernetes to version 3.9.0 or later to patch the argument injection vulnerability.
Proactive Monitoring: Monitor egress traffic from the Kubernetes operator for connections to unauthorized or unknown API servers.
Compensating Controls: Apply strict NetworkPolicies to limit the operator's ability to initiate outbound connections to external IP addresses.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the extreme risk to Kubernetes cluster security, administrators must upgrade to version 3.9.0 immediately. Organizations should verify that their operators operate with the principle of least privilege, specifically restricting outbound network access to prevent token exfiltration in the event of future vulnerabilities.