Manifold Security — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/vendors/manifold-security/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 21 May 2026 20:34:49 +0000MCP Server Kubernetes Tool Access Control Bypass (CVE-2026-46519)https://feed.craftedsignal.io/briefs/2026-05-mcp-server-bypass/Thu, 21 May 2026 20:34:49 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-mcp-server-bypass/MCP Server Kubernetes versions before 3.6.0 have an access control bypass vulnerability (CVE-2026-46519) where tool access controls are enforced only at the discovery layer, allowing authenticated clients to invoke any Kubernetes tool regardless of configured restrictions, potentially leading to cluster compromise.MCP Server Kubernetes is vulnerable to an access control bypass that allows authenticated users to execute any Kubernetes tool regardless of the configured restriction mode. The vulnerability lies in the tools/call endpoint, which doesn’t enforce the same filtering logic as the tools/list endpoint. This means an attacker with network access to the MCP server, even with limited permissions (e.g., kubectl_get), can invoke more sensitive tools like kubectl_delete, exec_in_pod, kubectl_generic, and node_management. The issue was present in versions prior to v3.6.0. This bypass is particularly dangerous in multi-client HTTP deployment scenarios, where operators rely on tool restrictions to enforce least-privilege access. Exploitation of this vulnerability can lead to full cluster compromise if the MCP server runs with cluster-admin privileges.

Attack Chain

  1. Attacker gains network access to the MCP server’s HTTP endpoint.
  2. Attacker authenticates to the MCP server using a valid MCP_AUTH_TOKEN or X-MCP-AUTH header.
  3. Attacker discovers available tools via the tools/list endpoint. The returned list may be restricted based on configured environment variables.
  4. Attacker crafts a tools/call request with the name of a restricted tool (e.g., kubectl_delete).
  5. Attacker includes the necessary arguments for the chosen tool in the params field of the request.
  6. Attacker sends the crafted tools/call request to the MCP server’s HTTP endpoint.
  7. The MCP server executes the requested tool without validating if the authenticated user has permission to use it.
  8. The attacker achieves the intended malicious action (e.g., deleting a pod).

Impact

Successful exploitation of this vulnerability allows an attacker or misconfigured AI agent to bypass intended access controls and execute arbitrary Kubernetes commands. The impact scales with the permissions of the Kubernetes service account used by the MCP server. In environments where the MCP server runs with cluster-admin privileges, this can lead to full cluster compromise, including unauthorized data access, modification, and deletion. This vulnerability affected users relying on tool restriction environment variables to enforce least-privilege access, potentially leading to privilege escalation and unauthorized actions within the Kubernetes cluster.

Recommendation

  • Upgrade to mcp-server-kubernetes version 3.6.0 or later to remediate CVE-2026-46519.
  • Monitor HTTP requests to the /mcp endpoint for tools/call methods attempting to invoke sensitive Kubernetes tools like kubectl_delete, exec_in_pod, kubectl_generic, and node_management (see example Sigma rule below).
  • Review and restrict the permissions of the Kubernetes service account used by the MCP server to adhere to the principle of least privilege.
  • Implement network segmentation to limit access to the MCP server’s HTTP endpoint only to authorized clients.
]]>highadvisoryaccess-control-bypassprivilege-escalationkubernetescloud