{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/mcp-server-kubernetes--3.6.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["mcp-server-kubernetes (\u003c 3.6.0)"],"_cs_severities":["high"],"_cs_tags":["access-control-bypass","privilege-escalation","kubernetes","cloud"],"_cs_type":"advisory","_cs_vendors":["Manifold Security"],"content_html":"\u003cp\u003eMCP Server Kubernetes is vulnerable to an access control bypass that allows authenticated users to execute any Kubernetes tool regardless of the configured restriction mode. The vulnerability lies in the \u003ccode\u003etools/call\u003c/code\u003e endpoint, which doesn\u0026rsquo;t enforce the same filtering logic as the \u003ccode\u003etools/list\u003c/code\u003e endpoint. This means an attacker with network access to the MCP server, even with limited permissions (e.g., \u003ccode\u003ekubectl_get\u003c/code\u003e), can invoke more sensitive tools like \u003ccode\u003ekubectl_delete\u003c/code\u003e, \u003ccode\u003eexec_in_pod\u003c/code\u003e, \u003ccode\u003ekubectl_generic\u003c/code\u003e, and \u003ccode\u003enode_management\u003c/code\u003e. The issue was present in versions prior to v3.6.0. This bypass is particularly dangerous in multi-client HTTP deployment scenarios, where operators rely on tool restrictions to enforce least-privilege access. Exploitation of this vulnerability can lead to full cluster compromise if the MCP server runs with \u003ccode\u003ecluster-admin\u003c/code\u003e privileges.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains network access to the MCP server\u0026rsquo;s HTTP endpoint.\u003c/li\u003e\n\u003cli\u003eAttacker authenticates to the MCP server using a valid \u003ccode\u003eMCP_AUTH_TOKEN\u003c/code\u003e or \u003ccode\u003eX-MCP-AUTH\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eAttacker discovers available tools via the \u003ccode\u003etools/list\u003c/code\u003e endpoint. The returned list may be restricted based on configured environment variables.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a \u003ccode\u003etools/call\u003c/code\u003e request with the name of a restricted tool (e.g., \u003ccode\u003ekubectl_delete\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker includes the necessary arguments for the chosen tool in the \u003ccode\u003eparams\u003c/code\u003e field of the request.\u003c/li\u003e\n\u003cli\u003eAttacker sends the crafted \u003ccode\u003etools/call\u003c/code\u003e request to the MCP server\u0026rsquo;s HTTP endpoint.\u003c/li\u003e\n\u003cli\u003eThe MCP server executes the requested tool without validating if the authenticated user has permission to use it.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves the intended malicious action (e.g., deleting a pod).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker or misconfigured AI agent to bypass intended access controls and execute arbitrary Kubernetes commands. The impact scales with the permissions of the Kubernetes service account used by the MCP server. In environments where the MCP server runs with \u003ccode\u003ecluster-admin\u003c/code\u003e privileges, this can lead to full cluster compromise, including unauthorized data access, modification, and deletion. This vulnerability affected users relying on tool restriction environment variables to enforce least-privilege access, potentially leading to privilege escalation and unauthorized actions within the Kubernetes cluster.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003emcp-server-kubernetes\u003c/code\u003e version 3.6.0 or later to remediate CVE-2026-46519.\u003c/li\u003e\n\u003cli\u003eMonitor HTTP requests to the \u003ccode\u003e/mcp\u003c/code\u003e endpoint for \u003ccode\u003etools/call\u003c/code\u003e methods attempting to invoke sensitive Kubernetes tools like \u003ccode\u003ekubectl_delete\u003c/code\u003e, \u003ccode\u003eexec_in_pod\u003c/code\u003e, \u003ccode\u003ekubectl_generic\u003c/code\u003e, and \u003ccode\u003enode_management\u003c/code\u003e (see example Sigma rule below).\u003c/li\u003e\n\u003cli\u003eReview and restrict the permissions of the Kubernetes service account used by the MCP server to adhere to the principle of least privilege.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit access to the MCP server\u0026rsquo;s HTTP endpoint only to authorized clients.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T20:34:49Z","date_published":"2026-05-21T20:34:49Z","id":"https://feed.craftedsignal.io/briefs/2026-05-mcp-server-bypass/","summary":"MCP Server Kubernetes versions before 3.6.0 have an access control bypass vulnerability (CVE-2026-46519) where tool access controls are enforced only at the discovery layer, allowing authenticated clients to invoke any Kubernetes tool regardless of configured restrictions, potentially leading to cluster compromise.","title":"MCP Server Kubernetes Tool Access Control Bypass (CVE-2026-46519)","url":"https://feed.craftedsignal.io/briefs/2026-05-mcp-server-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Mcp-Server-Kubernetes (\u003c 3.6.0)","version":"https://jsonfeed.org/version/1.1"}