CVE-2026-61459
Gravedad CVSS v4.0:
CRÍTICA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
10/07/2026
Última modificación:
10/07/2026
Descripción
*** Pendiente de traducción *** MCP Server Kubernetes before 3.9.0 contains an argument injection vulnerability in structured tools (kubectl_get, kubectl_describe, kubectl_delete) that allows attackers to bypass the assertNoDangerousFlags security check by supplying resourceType and name parameters with leading dashes. Attackers can inject the --server flag to redirect kubectl commands to an attacker-controlled API server, causing the operator's bearer token to be transmitted externally and enabling full cluster compromise.
Impacto
Puntuación base 4.0
9.30
Gravedad 4.0
CRÍTICA
Puntuación base 3.x
9.80
Gravedad 3.x
CRÍTICA
Referencias a soluciones, herramientas e información
- https://github.com/Flux159/mcp-server-kubernetes/commit/d7890f50a4567bf5d9842541ba6f41e180227f9a
- https://github.com/Flux159/mcp-server-kubernetes/issues/328
- https://github.com/Flux159/mcp-server-kubernetes/pull/329
- https://github.com/Flux159/mcp-server-kubernetes/releases/tag/3.9.0
- https://www.vulncheck.com/advisories/mcp-server-kubernetes-argument-injection-via-kubectl-structured-tools



