Vulnerability  ·  2026-07-04

Kong Konnect MCP Server — Indirect Prompt Injection Enables Unintended API Request Execution (CVE-2026-13341)

VulnerabilityHigh impactGlobalCVE-2026-13341
CVE-2026-13341 (CVSS 7.4 High, published 2026-07-03) affects the Kong Konnect Model Context Protocol (MCP) server prior to version 1.0.0. A remote attacker can craft input that, when processed by an LLM agent connected to the MCP server, causes the agent to execute unintended API requests against the Kong Konnect API gateway infrastructure — a textbook indirect prompt injection attack. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:A) indicates network-accessible, no authentication required, with changed scope and high confidentiality impact.
Kong Konnect is one of the most widely deployed enterprise API gateway and management platforms. Its MCP server exposes AI agents to the full breadth of API management operations — routing rules, service configurations, plugin settings, credentials. Indirect prompt injection here allows an attacker to redirect agent actions to read API secrets, enumerate internal service configurations, or manipulate gateway routing without ever authenticating to Konnect directly. This is a supply-chain amplifier: one poisoned MCP interaction can affect all APIs managed through the gateway.
Attacker plants malicious content that is ingested by an LLM agent connected to the Kong Konnect MCP server; the injected instructions cause the agent to issue unintended API requests (data exfiltration, configuration manipulation) against the Kong Konnect management plane.
Kong mcp-konnect MCP server < 1.0.0
Upgrade Kong mcp-konnect to version 1.0.0 or later. GitHub advisory: https://github.com/Kong/mcp-konnect/security/advisories/GHSA-7767-3m3w-2p44
NVD — CVE-2026-13341GitHub Advisory GHSA-7767-3m3w-2p44 (Kong mcp-konnect)PT Security dbugs — CVE-2026-13341 (published 2026-07-03)Kong Blog — AI Agent Platforms Are Getting Hacked (2026-07-02)
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →