CVE 8.8 HIGH

mcp-server-kubernetes Affected By Tool Access Control Bypass: Presentation-Layer Filtering Without Execution-Layer Enforcement_CVE-2026-46519

June 11, 2026 invoker category_cve

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.6.0, mcp-server-kubernetes exposes three environment variables (ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, ALLOWED_TOOLS) documented as access controls for restricting which Kubernetes operations are available. These controls are enforced at the tool discovery layer (tools/list) but not at the execution layer (tools/call). Any client that knows a tool name can invoke it directly regardless of the configured restriction mode. The access control was effectively cosmetic. This issue has been patched in version 3.6.0.

AI Analysis

Tool access control bypass vulnerability in mcp-server-kubernetes, allowing clients to invoke tools directly regardless of configured restrictions.

Basic Information

ID CVE-2026-46519

Source GitHub_M

Published Jun 11, 2026 at 18:34

Affected Product

Vendor Flux159

Product mcp-server-kubernetes

Version < 3.6.0

Affected Versions Flux159 mcp-server-kubernetes < 3.6.0

CWE Classification

CWE-863

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Flux159

Product mcp-server-kubernetes

Version < 3.6.0

References

{
    "lastseen": "",
    "description": "mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.6.0, mcp-server-kubernetes exposes three environment variables (ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, ALLOWED_TOOLS) documented as access controls for restricting which Kubernetes operations are available. These controls are enforced at the tool discovery layer (tools/list) but not at the execution layer (tools/call). Any client that knows a tool name can invoke it directly regardless of the configured restriction mode. The access control was effectively cosmetic. This issue has been patched in version 3.6.0.",
    "published": "2026-06-11T18:34:15.281Z",
    "modified": "2026-06-11T18:34:15.281Z",
    "type": "cve",
    "title": "mcp-server-kubernetes Affected By Tool Access Control Bypass: Presentation-Layer Filtering Without Execution-Layer Enforcement",
    "source": "GitHub_M",
    "references": "https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-cr22-wjx7-2w6m\nhttps://github.com/Flux159/mcp-server-kubernetes/releases/tag/v3.6.0",
    "id": "CVE-2026-46519",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "Flux159 mcp-server-kubernetes < 3.6.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "mcp-server-kubernetes",
    "version": "< 3.6.0",
    "vendor": "Flux159",
    "ai_description": "Tool access control bypass vulnerability in mcp-server-kubernetes, allowing clients to invoke tools directly regardless of configured restrictions.",
    "ai_severity": "High",
    "ai_vendor": "Flux159",
    "ai_product": "mcp-server-kubernetes",
    "ai_version": "< 3.6.0",
    "ai_score": 8.8
}

💭 Join the Security Discussion ❌ Cancel Reply