Listen to this Post
The vulnerability arises from a discrepancy between the tool discovery and execution layers. Three environment variables (ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, ALLOWED_TOOLS) are intended to restrict available Kubernetes operations. However, while these controls are correctly enforced in the `ListToolsRequestSchema` handler (which builds the tool list for clients), they are completely missing from the `CallToolRequestSchema` handler. This means an attacker can bypass the configured restrictions by directly crafting a `tools/call` request to any endpoint, such as `kubectl_delete` or exec_in_pod. The server fails to re-validate the requested tool name against the allowed set at the critical execution point, making the access control purely cosmetic. The impact is severe, especially when the server runs with `cluster-admin` privileges, leading to a full cluster compromise.
DailyCVE Form:
Platform: `Kubernetes MCP`
Version: `<3.6.0`
Vulnerability: `Auth Bypass`
Severity: `Critical`
Date: `2026-05-21`
Prediction: `2026-06-04`
What Undercode Say:
Analytics: To detect exploitation attempts, monitor logs for `tools/call` invocations of dangerous commands (e.g., kubectl_delete, exec_in_pod) in environments with restrictive policies. The following command simulates a bypass request for logging purposes:
curl -s http://<HOST>:3003/mcp \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","method":"tools/call","params":{"name":"kubectl_delete"}}'
Exploit: Unauthenticated or low-privileged clients can delete resources or execute commands by directly calling any tool name, irrespective of the advertised list.
curl -X POST http://<HOST>:3003/mcp \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"exec_in_pod","arguments":{"name":"test-pod","namespace":"default","command":"cat /etc/passwd"}}}'
Protection from this CVE: Upgrade to version `v3.6.0` or later, which applies the same filtering logic in the `CallToolRequestSchema` handler. As a temporary mitigation, restrict network access to the MCP server’s endpoint (e.g., using firewalls or network policies) to only trusted clients.
Impact: Full cluster compromise if the service account has high privileges; otherwise, unauthorized data access or resource manipulation within the pod’s namespace.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

