CVE-2026-13341
Received Received - Intake

Indirect Prompt Injection in Kong Konnect MCP Server

Vulnerability report for CVE-2026-13341, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: Kong

Description

A vulnerability exists in the Kong Konnect Model Context Protocol (MCP) server prior to version 1.0.0, which could allow a remote attacker to perform an indirect prompt injection attack and execute unintended API requests.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
kong konnect_model_context_protocol to 1.0.0 (exc)
kong konnect_mcp to 1.0.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The CVE-2026-13341 vulnerability affects the Kong Konnect Model Context Protocol (MCP) server versions prior to 1.0.0. It involves a stored prompt injection and credential exposure caused by untrusted analytics data. An attacker can send malicious traffic to a gateway, crafting request metadata such as the User-Agent header to inject harmful content into Konnect analytics.

When the MCP server returns this unneutralized data to an AI assistant or MCP client, the assistant may interpret it as executable instructions or renderable content. This can lead to unintended API requests or sensitive information disclosure. Additionally, path manipulation vulnerabilities allow the MCP server to request unintended Konnect API endpoints using the user's token.

The vulnerability arises because the MCP client or AI agent processes untrusted data without proper sandboxing or network restrictions.

Impact Analysis

This vulnerability can impact you by allowing a remote attacker to perform indirect prompt injection attacks that cause the MCP server or AI assistant to execute unintended API requests.

Such attacks can lead to exposure of sensitive information, as the attacker can manipulate analytics data to inject malicious content that the AI assistant processes.

Furthermore, path manipulation can cause the MCP server to access unauthorized API endpoints with your user token, potentially compromising your system's confidentiality.

Detection Guidance

Detection of the CVE-2026-13341 vulnerability involves monitoring for unusual or malicious request metadata, such as suspicious User-Agent strings, being sent to the Kong Konnect MCP server. Since the vulnerability arises from untrusted analytics data being processed without proper sandboxing, inspecting gateway traffic for crafted request metadata that could lead to prompt injection is essential.

Additionally, monitoring for unexpected outbound requests from MCP clients or AI agents to untrusted hosts can indicate exploitation attempts.

While no specific commands are provided in the resources, general network and log inspection commands that could help include:

  • Using network traffic capture tools like tcpdump or Wireshark to filter and analyze HTTP headers for suspicious User-Agent or other metadata fields.
  • Checking logs of the Kong Konnect MCP server and gateways for unusual or malformed request metadata.
  • Using commands like `grep` or `awk` on log files to search for suspicious patterns in request headers.
  • Monitoring outbound network connections from MCP clients or AI agents to detect unauthorized external requests.
Mitigation Strategies

Immediate mitigation steps for CVE-2026-13341 include upgrading Kong Konnect MCP to version 1.0.0 or later, which contains patches that neutralize untrusted analytics fields, validate identifiers, encode path segments, disable raw plugin configuration output by default, and require explicit opt-ins for raw plugin configuration.

Additional workarounds and mitigations include:

  • Avoid using analytics tools on gateways that accept untrusted traffic.
  • Disable raw plugin configuration output to prevent exposure of sensitive data.
  • Restrict or sandbox AI agents and MCP clients to limit their ability to process untrusted data or make outbound requests.
  • Apply egress network controls to prevent MCP clients or AI agents from making outbound requests to untrusted hosts.
Compliance Impact

The vulnerability in Kong Konnect MCP can lead to sensitive information disclosure due to untrusted analytics data being processed without proper neutralization or sandboxing. This exposure of sensitive information to unauthorized actors (classified as CWE-200) could impact compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access or disclosure.

Specifically, if an attacker exploits this vulnerability, they may cause the MCP server or AI assistant to execute unintended API requests or disclose sensitive data, potentially violating confidentiality requirements mandated by these standards.

Therefore, organizations using affected versions of Kong Konnect MCP prior to 1.0.0 should upgrade immediately and apply recommended mitigations to maintain compliance with common data protection regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13341. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart