Vendor
An argument injection vulnerability, CVE-2026-61459, in MCP Server Kubernetes versions prior to 3.9.0 within structured tools like kubectl_get, kubectl_describe, and kubectl_delete allows attackers to bypass the assertNoDangerousFlags security check by injecting parameters with leading dashes to redirect kubectl commands to an attacker-controlled API server, enabling the exfiltration of the operator's bearer token and leading to full Kubernetes cluster compromise.