No advisories yet.
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
Mon, 13 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 10 Jul 2026 21:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Flux159
Flux159 mcp-server-kubernetes |
|
| Vendors & Products |
Flux159
Flux159 mcp-server-kubernetes |
Fri, 10 Jul 2026 19:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | MCP Server Kubernetes before 3.9.0 contains an argument injection vulnerability in structured tools (kubectl_get, kubectl_describe, kubectl_delete) that allows attackers to bypass the assertNoDangerousFlags security check by supplying resourceType and name parameters with leading dashes. Attackers can inject the --server flag to redirect kubectl commands to an attacker-controlled API server, causing the operator's bearer token to be transmitted externally and enabling full cluster compromise. | |
| Title | MCP Server Kubernetes < 3.9.0 Argument Injection via kubectl Structured Tools | |
| Weaknesses | CWE-88 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-13T14:55:11.357Z
Reserved: 2026-07-09T14:07:55.624Z
Link: CVE-2026-61459
Updated: 2026-07-13T14:55:08.326Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-12T23:15:03Z