{"data":{"id":"9a129274-1a6e-4e3b-b9f2-e543dd4fb062","title":"CVE-2026-39884: mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Versions 3.4.0 and prior con","summary":"mcp-server-kubernetes versions 3.4.0 and earlier have an argument injection vulnerability (a type of attack where an attacker sneaks extra commands into a tool by exploiting how input is processed) in the port_forward tool. The vulnerability exists because the code builds a kubectl command (a tool for managing Kubernetes clusters) by concatenating strings with user input and splitting on spaces, instead of using a safer array-based method like other tools in the codebase. This allows attackers to inject malicious kubectl flags to expose internal services or target resources in unintended ways.","solution":"Update to version 3.5.0, which fixes this issue.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-39884","publishedAt":"2026-04-15T04:17:37.097Z","cveId":"CVE-2026-39884","cweIds":["CWE-88"],"cvssScore":"8.3","cvssSeverity":"high","severity":"high","attackType":["prompt_injection","supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["mcp-server-kubernetes","Model Context Protocol"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L","attackVector":"network","attackComplexity":"low","privilegesRequired":"low","userInteraction":"none","exploitMaturity":"unknown","epssScore":0.00046,"patchAvailable":null,"disclosureDate":"2026-04-15T04:17:37.097Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"agent","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":["AML.T0010","AML.T0051"]}}