CVE-2025-69902
Received Received - Intake
Command Injection in kubectl-mcp-server minimal_wrapper.py Allows RCE

Publication date: 2026-03-16

Last updated on: 2026-03-17

Assigner: MITRE

Description
A command injection vulnerability in the minimal_wrapper.py component of kubectl-mcp-server v1.2.0 allows attackers to execute arbitrary commands via injecting arbitrary shell metacharacters.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-14
NVD
CVE-2025-69902
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a command injection flaw found in the minimal_wrapper.py component of kubectl-mcp-server version 1.2.0. It allows attackers to execute arbitrary commands by injecting shell metacharacters, which means they can run unintended commands on the system by manipulating input that is not properly sanitized.

Impact Analysis

The impact of this vulnerability is that an attacker could execute arbitrary commands on the system running kubectl-mcp-server. This could lead to unauthorized access, data compromise, system manipulation, or disruption of Kubernetes management operations, potentially affecting the security and stability of your Kubernetes infrastructure.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'The vulnerability is a command injection in the minimal_wrapper.py component of kubectl-mcp-server v1.2.0, allowing arbitrary command execution via shell metacharacter injection.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can check if you are running kubectl-mcp-server version 1.2.0, especially the minimal_wrapper.py component.'}, {'type': 'paragraph', 'content': 'You may attempt to identify suspicious command executions or unexpected shell commands triggered by kubectl-mcp-server.'}, {'type': 'paragraph', 'content': 'Suggested commands to test or detect abnormal behavior include running kubectl-mcp-server commands such as:'}, {'type': 'list_item', 'content': '`kubectl-mcp-server info` - to get server information and verify version.'}, {'type': 'list_item', 'content': '`kubectl-mcp-server call get_pods \'{"namespace": "kube-system"}\'` - to check normal command execution.'}, {'type': 'paragraph', 'content': 'Monitoring logs for unexpected shell metacharacters or command injection patterns in requests to kubectl-mcp-server may help detect exploitation attempts.'}] [1]

Mitigation Strategies

Immediate mitigation steps include:

  • Avoid using kubectl-mcp-server version 1.2.0 until a patched version is released.
  • Restrict access to the kubectl-mcp-server service to trusted users and networks only.
  • Monitor and audit logs for suspicious command injection attempts.
  • Implement network-level controls such as firewalls or network policies to limit exposure.
  • If possible, disable or isolate the minimal_wrapper.py component until a fix is available.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69902. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart