{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/mcp-server/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-61459"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Kubernetes \u003c 3.9.0"],"_cs_severities":["critical"],"_cs_tags":["kubernetes","cloud","argument-injection","vulnerability","cve"],"_cs_type":"advisory","_cs_vendors":["MCP Server"],"content_html":"\u003cp\u003eCVE-2026-61459 describes a critical argument injection vulnerability affecting MCP Server Kubernetes versions prior to 3.9.0. This flaw specifically impacts structured tools such as \u003ccode\u003ekubectl_get\u003c/code\u003e, \u003ccode\u003ekubectl_describe\u003c/code\u003e, and \u003ccode\u003ekubectl_delete\u003c/code\u003e. Attackers can exploit this by crafting malicious input that includes resourceType and name parameters with leading dashes, effectively bypassing the \u003ccode\u003eassertNoDangerousFlags\u003c/code\u003e security mechanism. The core of the vulnerability lies in the ability to inject the \u003ccode\u003e--server\u003c/code\u003e flag into \u003ccode\u003ekubectl\u003c/code\u003e commands. This allows an attacker to redirect legitimate \u003ccode\u003ekubectl\u003c/code\u003e operations to an API server under their control. The primary impact is the exfiltration of the operator's bearer token, which, once stolen, grants attackers full administrative access and compromise over the entire Kubernetes cluster, enabling potential data exfiltration, resource manipulation, or further lateral movement.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable MCP Server Kubernetes instance running versions prior to 3.9.0.\u003c/li\u003e\n\u003cli\u003eAttacker crafts malicious input targeting the structured tools (e.g., \u003ccode\u003ekubectl_get\u003c/code\u003e, \u003ccode\u003ekubectl_describe\u003c/code\u003e, \u003ccode\u003ekubectl_delete\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe crafted input includes \u003ccode\u003eresourceType\u003c/code\u003e and \u003ccode\u003ename\u003c/code\u003e parameters with specially formatted leading dashes.\u003c/li\u003e\n\u003cli\u003eThe vulnerability allows this input to bypass the \u003ccode\u003eassertNoDangerousFlags\u003c/code\u003e security check.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully injects the \u003ccode\u003e--server\u003c/code\u003e flag into the \u003ccode\u003ekubectl\u003c/code\u003e command executed by the structured tool.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ekubectl\u003c/code\u003e command is then redirected to an attacker-controlled API server instead of the legitimate cluster API.\u003c/li\u003e\n\u003cli\u003eThe operator's bearer token, typically used for authentication with the Kubernetes API, is inadvertently transmitted to the attacker's server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen bearer token to gain full administrative access, leading to complete compromise of the Kubernetes cluster.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-61459 results in a full compromise of the affected Kubernetes cluster. Attackers gain access to the operator's bearer token, which can then be used to perform any action the compromised operator is authorized for, including reading sensitive data, deploying malicious workloads, modifying configurations, exfiltrating intellectual property, or establishing persistence. This leads to a loss of confidentiality, integrity, and availability for all resources managed by the cluster. Organizations using MCP Server Kubernetes versions below 3.9.0 are at severe risk if this vulnerability is exploited.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade MCP Server Kubernetes to version 3.9.0 or later to patch CVE-2026-61459.\u003c/li\u003e\n\u003cli\u003eReview access logs for the \u003ccode\u003ekubectl\u003c/code\u003e command for unusual \u003ccode\u003e---server\u003c/code\u003e flag usage or connections to unexpected IP addresses.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T19:20:09Z","date_published":"2026-07-10T19:20:09Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61459-kubernetes-arg-injection/","summary":"An argument injection vulnerability, CVE-2026-61459, in MCP Server Kubernetes versions prior to 3.9.0 within structured tools like kubectl_get, kubectl_describe, and kubectl_delete allows attackers to bypass the assertNoDangerousFlags security check by injecting parameters with leading dashes to redirect kubectl commands to an attacker-controlled API server, enabling the exfiltration of the operator's bearer token and leading to full Kubernetes cluster compromise.","title":"CVE-2026-61459 - Argument Injection in MCP Server Kubernetes Structured Tools Leads to Cluster Compromise","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61459-kubernetes-arg-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - MCP Server","version":"https://jsonfeed.org/version/1.1"}