GHSA-cr22-wjx7-2w6m: MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement
Summary
The `mcp-server-kubernetes` tool had a security flaw where access control settings (environment variables that limit which Kubernetes operations are available) only worked when listing tools, but not when actually running them. This meant an attacker or misconfigured AI agent could bypass these restrictions and run any Kubernetes command, like deleting pods or accessing containers, even if they were supposed to be blocked.
Solution / Mitigation
The fix applies the same filtering logic from the tool listing layer to the tool execution layer in the `CallToolRequestSchema` handler, so that restricted tools return an error when called directly. This was fixed in v3.6.0.
Vulnerability Details
EPSS: 0.0%
Yes
May 21, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-cr22-wjx7-2w6m
First tracked: May 21, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 92%