{"data":{"id":"9f57880c-36cd-4468-85ee-e28ffb373164","title":"GHSA-cr22-wjx7-2w6m: MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement","summary":"The `mcp-server-kubernetes` tool had a security flaw where access control settings (environment variables that limit which Kubernetes operations are available) only worked when listing tools, but not when actually running them. This meant an attacker or misconfigured AI agent could bypass these restrictions and run any Kubernetes command, like deleting pods or accessing containers, even if they were supposed to be blocked.","solution":"The fix applies the same filtering logic from the tool listing layer to the tool execution layer in the `CallToolRequestSchema` handler, so that restricted tools return an error when called directly. This was fixed in v3.6.0.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-cr22-wjx7-2w6m","publishedAt":"2026-05-21T20:33:46.000Z","cveId":"CVE-2026-46519","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["other"],"issueType":"vulnerability","affectedPackages":["mcp-server-kubernetes@< 3.6.0 (fixed: 3.6.0)"],"affectedVendors":[],"affectedVendorsRaw":["mcp-server-kubernetes","Claude (via MCP integration)"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-05-21T20:33:46.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity","availability"],"aiComponentTargeted":"agent","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}