CVE-2026-61459: MCP Server Kubernetes < 3.9.0 Argument Injection via kubectl Structured Tools
MCP Server Kubernetes before 3.9.0 contains an argument injection vulnerability in structured tools (kubectl_get, kubectl_describe, kubectl_delete) that allows attackers to bypass the assertNoDangerousFlags security check by supplying resourceType and name parameters with leading dashes. Attackers can inject the --server flag to redirect kubectl commands to an attacker-controlled API server, causing the operator's bearer token to be transmitted externally and enabling full cluster compromise.
Security readout for executives and security teams
Plain-English summary
This flaw can turn a convenience MCP Kubernetes tool into a path for cluster takeover. Malicious input can make kubectl contact an attacker-controlled API server, exposing the operator's Kubernetes bearer token. The published severity is critical and the reported fixed version is 3.9.0.
Executive priority
Treat this as urgent for any environment using this MCP server with real cluster credentials. Prioritize upgrade and credential exposure review because the reported impact includes token disclosure and possible full cluster compromise.
Technical view
CVE-2026-61459 is CWE-88 argument injection in Flux159 mcp-server-kubernetes before 3.9.0. The structured tools kubectl_get, kubectl_describe, and kubectl_delete accepted resourceType and name values with leading dashes, allowing bypass of assertNoDangerousFlags and injection of kubectl flags such as API server redirection.
Likely exposure
Organizations are most exposed where mcp-server-kubernetes is deployed with Kubernetes credentials and accepts tool calls influenced by untrusted users, prompts, agents, or external workflows. Exposure depends on whether affected versions before 3.9.0 are present and reachable.
Exploitation context
The bundle includes a researcher disclosure tagged as exploit and technical description, but KEV is false and no cited source states active exploitation in the wild. The risk is high because successful abuse can disclose bearer tokens and enable full cluster compromise.
Researcher notes
Evidence supports a critical argument injection fixed in 3.9.0. Validate against the referenced release, issue, pull request, and patch commit. Do not assume broader product impact beyond Flux159 mcp-server-kubernetes or active exploitation without additional evidence.
Mitigation direction
Upgrade mcp-server-kubernetes to version 3.9.0 or later.
Review the 3.9.0 release notes and vendor issue for final guidance.
Restrict MCP server access to trusted users and workflows.
Review and rotate Kubernetes tokens if exposure is suspected.
Limit Kubernetes RBAC permissions used by the MCP server.
Validation and detection
Inventory all mcp-server-kubernetes deployments and confirm their versions.
Verify affected structured kubectl tools are patched or unavailable.
Review MCP logs for suspicious resourceType or name values starting with dashes.
Check Kubernetes audit logs for unexpected API server interactions.
Confirm service account tokens have least-privilege RBAC.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-88: Command execution behavior lookup
Command injection weaknesses can lead defenders to review execution techniques and command interpreter telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
3Timeline events
1ADP providers
6Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: yesTechnical Impact: total
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-88 · source CWE mapping
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.