<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Kubernetes &lt; 3.9.0 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/kubernetes--3.9.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 10 Jul 2026 19:20:09 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/kubernetes--3.9.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-61459 - Argument Injection in MCP Server Kubernetes Structured Tools Leads to Cluster Compromise</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61459-kubernetes-arg-injection/</link><pubDate>Fri, 10 Jul 2026 19:20:09 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61459-kubernetes-arg-injection/</guid><description>An argument injection vulnerability, CVE-2026-61459, in MCP Server Kubernetes versions prior to 3.9.0 within structured tools like kubectl_get, kubectl_describe, and kubectl_delete allows attackers to bypass the assertNoDangerousFlags security check by injecting parameters with leading dashes to redirect kubectl commands to an attacker-controlled API server, enabling the exfiltration of the operator's bearer token and leading to full Kubernetes cluster compromise.</description><content:encoded><![CDATA[<p>CVE-2026-61459 describes a critical argument injection vulnerability affecting MCP Server Kubernetes versions prior to 3.9.0. This flaw specifically impacts structured tools such as <code>kubectl_get</code>, <code>kubectl_describe</code>, and <code>kubectl_delete</code>. Attackers can exploit this by crafting malicious input that includes resourceType and name parameters with leading dashes, effectively bypassing the <code>assertNoDangerousFlags</code> security mechanism. The core of the vulnerability lies in the ability to inject the <code>--server</code> flag into <code>kubectl</code> commands. This allows an attacker to redirect legitimate <code>kubectl</code> operations to an API server under their control. The primary impact is the exfiltration of the operator's bearer token, which, once stolen, grants attackers full administrative access and compromise over the entire Kubernetes cluster, enabling potential data exfiltration, resource manipulation, or further lateral movement.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a vulnerable MCP Server Kubernetes instance running versions prior to 3.9.0.</li>
<li>Attacker crafts malicious input targeting the structured tools (e.g., <code>kubectl_get</code>, <code>kubectl_describe</code>, <code>kubectl_delete</code>).</li>
<li>The crafted input includes <code>resourceType</code> and <code>name</code> parameters with specially formatted leading dashes.</li>
<li>The vulnerability allows this input to bypass the <code>assertNoDangerousFlags</code> security check.</li>
<li>The attacker successfully injects the <code>--server</code> flag into the <code>kubectl</code> command executed by the structured tool.</li>
<li>The <code>kubectl</code> command is then redirected to an attacker-controlled API server instead of the legitimate cluster API.</li>
<li>The operator's bearer token, typically used for authentication with the Kubernetes API, is inadvertently transmitted to the attacker's server.</li>
<li>The attacker uses the stolen bearer token to gain full administrative access, leading to complete compromise of the Kubernetes cluster.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-61459 results in a full compromise of the affected Kubernetes cluster. Attackers gain access to the operator's bearer token, which can then be used to perform any action the compromised operator is authorized for, including reading sensitive data, deploying malicious workloads, modifying configurations, exfiltrating intellectual property, or establishing persistence. This leads to a loss of confidentiality, integrity, and availability for all resources managed by the cluster. Organizations using MCP Server Kubernetes versions below 3.9.0 are at severe risk if this vulnerability is exploited.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade MCP Server Kubernetes to version 3.9.0 or later to patch CVE-2026-61459.</li>
<li>Review access logs for the <code>kubectl</code> command for unusual <code>---server</code> flag usage or connections to unexpected IP addresses.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>kubernetes</category><category>cloud</category><category>argument-injection</category><category>vulnerability</category><category>cve</category></item></channel></rss>