What happened
MCP Server Kubernetes before 3.9.0 contains an argument injection vulnerability in structured tools (kubectl_get, kubectl_describe, kubectl_delete) that allows attackers to bypass the assertNoDangerousFlags security check by supplying resourceType and name parameters with leading dashes, which are then interpreted as additional kubectl command-line flags rather than resource identifiers.
Why it matters
This MCP server gives LLM agents direct kubectl access to Kubernetes clusters; bypassing the dangerous-flags guardrail via argument injection lets a prompt-injected or malicious agent invoke arbitrary kubectl flags, potentially escalating to cluster-wide command execution or data exfiltration — a critical MCP tool-surface flaw in cluster-management tooling exposed to LLM agents.
Attack vector
Agent tool-call parameters (resourceType, name) prefixed with leading dashes are passed to kubectl and interpreted as command-line flags, bypassing the assertNoDangerousFlags check
Affected systems
MCP Server Kubernetes < 3.9.0
Mitigation
Upgrade to MCP Server Kubernetes ≥3.9.0