{"data":{"id":"12a92056-3150-44a5-a240-818b8eb7a24c","title":"GHSA-6mx4-4h42-r8vh: MCP Server Kubernetes: kubectl-generic flag injection enables Kubernetes bearer token exfiltration","summary":"The `kubectl_generic` tool in `mcp-server-kubernetes` accepts any kubectl flags without validation, allowing an attacker to inject flags like `--server=https://attacker.com` and `--insecure-skip-tls-verify=true`. When a privileged operator uses the MCP server and an AI agent follows injected instructions in logs, kubectl sends the operator's Kubernetes bearer token (authentication credential) to the attacker's server, which can then be replayed to gain full cluster access.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-6mx4-4h42-r8vh","publishedAt":"2026-06-05T15:40:00.000Z","cveId":"CVE-2026-47250","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["prompt_injection","supply_chain"],"issueType":"vulnerability","affectedPackages":["mcp-server-kubernetes@<= 3.6.2 (fixed: 3.7.0)"],"affectedVendors":["Anthropic"],"affectedVendorsRaw":["mcp-server-kubernetes","Claude Haiku","Anthropic"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-06-05T15:40:00.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"agent","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":["AML.T0010","AML.T0051"]}}