What happened
CVE-2026-13341 (CVSS 7.4 High, published 2026-07-03) affects the Kong Konnect Model Context Protocol (MCP) server prior to version 1.0.0. A remote attacker can craft input that, when processed by an LLM agent connected to the MCP server, causes the agent to execute unintended API requests against the Kong Konnect API gateway infrastructure — a textbook indirect prompt injection attack. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:A) indicates network-accessible, no authentication required, with changed scope and high confidentiality impact.
Why it matters
Kong Konnect is one of the most widely deployed enterprise API gateway and management platforms. Its MCP server exposes AI agents to the full breadth of API management operations — routing rules, service configurations, plugin settings, credentials. Indirect prompt injection here allows an attacker to redirect agent actions to read API secrets, enumerate internal service configurations, or manipulate gateway routing without ever authenticating to Konnect directly. This is a supply-chain amplifier: one poisoned MCP interaction can affect all APIs managed through the gateway.
Attack vector
Attacker plants malicious content that is ingested by an LLM agent connected to the Kong Konnect MCP server; the injected instructions cause the agent to issue unintended API requests (data exfiltration, configuration manipulation) against the Kong Konnect management plane.
Affected systems
Kong mcp-konnect MCP server < 1.0.0
Mitigation
Upgrade Kong mcp-konnect to version 1.0.0 or later. GitHub advisory: https://github.com/Kong/mcp-konnect/security/advisories/GHSA-7767-3m3w-2p44