CVE-2026-61459 - Argument Injection in MCP Server Kubernetes Structured Tools Leads to Cluster Compromise
An argument injection vulnerability, CVE-2026-61459, in MCP Server Kubernetes versions prior to 3.9.0 within structured tools like kubectl_get, kubectl_describe, and kubectl_delete allows attackers to bypass the assertNoDangerousFlags security check by injecting parameters with leading dashes to redirect kubectl commands to an attacker-controlled API server, enabling the exfiltration of the operator's bearer token and leading to full Kubernetes cluster compromise.
CVE-2026-61459 describes a critical argument injection vulnerability affecting MCP Server Kubernetes versions prior to 3.9.0. This flaw specifically impacts structured tools such as kubectl_get, kubectl_describe, and kubectl_delete. Attackers can exploit this by crafting malicious input that includes resourceType and name parameters with leading dashes, effectively bypassing the assertNoDangerousFlags security mechanism. The core of the vulnerability lies in the ability to inject the --server flag into kubectl commands. This allows an attacker to redirect legitimate kubectl operations to an API server under their control. The primary impact is the exfiltration of the operator's bearer token, which, once stolen, grants attackers full administrative access and compromise over the entire Kubernetes cluster, enabling potential data exfiltration, resource manipulation, or further lateral movement.
Attack Chain
- Attacker identifies a vulnerable MCP Server Kubernetes instance running versions prior to 3.9.0.
- Attacker crafts malicious input targeting the structured tools (e.g.,
kubectl_get,kubectl_describe,kubectl_delete). - The crafted input includes
resourceTypeandnameparameters with specially formatted leading dashes. - The vulnerability allows this input to bypass the
assertNoDangerousFlagssecurity check. - The attacker successfully injects the
--serverflag into thekubectlcommand executed by the structured tool. - The
kubectlcommand is then redirected to an attacker-controlled API server instead of the legitimate cluster API. - The operator's bearer token, typically used for authentication with the Kubernetes API, is inadvertently transmitted to the attacker's server.
- The attacker uses the stolen bearer token to gain full administrative access, leading to complete compromise of the Kubernetes cluster.
Impact
The successful exploitation of CVE-2026-61459 results in a full compromise of the affected Kubernetes cluster. Attackers gain access to the operator's bearer token, which can then be used to perform any action the compromised operator is authorized for, including reading sensitive data, deploying malicious workloads, modifying configurations, exfiltrating intellectual property, or establishing persistence. This leads to a loss of confidentiality, integrity, and availability for all resources managed by the cluster. Organizations using MCP Server Kubernetes versions below 3.9.0 are at severe risk if this vulnerability is exploited.
Recommendation
- Immediately upgrade MCP Server Kubernetes to version 3.9.0 or later to patch CVE-2026-61459.
- Review access logs for the
kubectlcommand for unusual---serverflag usage or connections to unexpected IP addresses.