CVE-2026-46519
Deferred Deferred - Pending Action

Insecure Tool Execution Bypass in mcp-server-kubernetes

Vulnerability report for CVE-2026-46519, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description

mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.6.0, mcp-server-kubernetes exposes three environment variables (ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, ALLOWED_TOOLS) documented as access controls for restricting which Kubernetes operations are available. These controls are enforced at the tool discovery layer (tools/list) but not at the execution layer (tools/call). Any client that knows a tool name can invoke it directly regardless of the configured restriction mode. The access control was effectively cosmetic. This issue has been patched in version 3.6.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
flux159 mcp-server-kubernetes to 3.6.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-46519 is an access control bypass vulnerability in the mcp-server-kubernetes npm package affecting versions prior to 3.6.0.

The vulnerability arises because environment variables intended to restrict which Kubernetes tools can be used (ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, ALLOWED_TOOLS) were only enforced during the tool discovery phase (tools/list) but not during the actual execution phase (tools/call).

As a result, any authenticated client who knows the name of a tool can invoke it directly, bypassing the configured restrictions. For example, a client restricted to read-only tools could still execute destructive operations like deleting Kubernetes resources.

This issue was fixed in version 3.6.0 by applying the same access control filtering to the tool execution layer.

Impact Analysis

This vulnerability can have severe impacts, especially in multi-client Kubernetes cluster management environments.

An attacker or unauthorized client with network access to the MCP server's HTTP endpoint can bypass intended access restrictions and execute any Kubernetes tool, including destructive operations.

If the MCP server runs with cluster-admin permissions, this could lead to full cluster compromise, affecting confidentiality, integrity, and availability of the Kubernetes environment.

Detection Guidance

This vulnerability can be detected by verifying if the mcp-server-kubernetes version in use is prior to 3.6.0, as versions before this do not enforce access control at the tool execution layer.

To detect exploitation attempts on your network or system, monitor HTTP requests to the MCP server's endpoint for calls to tools that should be restricted but are being invoked directly.

Suggested commands include inspecting the version of mcp-server-kubernetes installed and monitoring network traffic:

  • Check the installed version of mcp-server-kubernetes (example): `mcp-server-kubernetes --version` or check package.json dependencies.
  • Use network monitoring tools like tcpdump or Wireshark to capture HTTP requests to the MCP server endpoint and look for unauthorized tool calls.
  • Use Kubernetes audit logs to detect unauthorized destructive operations invoked via the MCP server.
Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade mcp-server-kubernetes to version 3.6.0 or later, where the issue has been fixed by enforcing access control at the tool execution layer.

Until the upgrade can be performed, restrict network access to the MCP server's HTTP endpoint to trusted clients only, minimizing exposure to potential attackers.

Additionally, review and monitor Kubernetes cluster operations for unauthorized or unexpected destructive actions that may indicate exploitation.

Compliance Impact

The vulnerability in mcp-server-kubernetes allows authenticated clients to bypass access control restrictions and execute unauthorized Kubernetes operations, potentially leading to full cluster compromise.

This unauthorized access and potential data compromise could negatively impact compliance with common standards and regulations such as GDPR and HIPAA, which require strict access controls and protection of sensitive data.

Specifically, the failure to enforce access controls at the execution layer undermines least-privilege principles, increasing the risk of unauthorized data access, modification, or deletion, which are critical concerns under these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46519. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart