Arbitrary Argument Injection Affecting mcp-server-kubernetes package, versions <3.9.0


Severity

Recommended
0.0
critical
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.42% (35th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-MCPSERVERKUBERNETES-17954415
  • published12 Jul 2026
  • disclosed10 Jul 2026
  • creditUnknown

Introduced: 10 Jul 2026

NewCVE-2026-61459  (opens in a new tab)
CWE-88  (opens in a new tab)

How to fix?

Upgrade mcp-server-kubernetes to version 3.9.0 or higher.

Overview

mcp-server-kubernetes is a MCP server for interacting with Kubernetes clusters via kubectl

Affected versions of this package are vulnerable to Arbitrary Argument Injection via the kubectl_get, kubectl_describe, and kubectl_delete functions. An attacker can execute arbitrary commands by supplying specially crafted parameters with leading dashes, which bypass security checks and allow injection of additional flags. This can result in the redirection of commands to an attacker-controlled API server, exposing sensitive authentication tokens and enabling full compromise of the cluster.

CVSS Base Scores

version 4.0
version 3.1