Technical description
mcp-server-kubernetes prior to version 3.6.0 exposes three environment variables (ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, ALLOWED_TOOLS) that are documented as access controls for restricting the tool set available to AI agent operators. However, these environment variables can be overridden or bypassed, allowing an agent or attacker to access the full Kubernetes cluster management tool set regardless of the intended safety configuration. This means an AI agent restricted to read-only operations could be made to perform destructive cluster actions. A companion vulnerability CVE-2026-47250 (CVSS 6.1) in versions prior to 3.7.0 allows kubectl flag injection through the kubectl_generic tool, enabling privilege escalation within Kubernetes environments.
Attack vector
Agent-side or operator-side environment variable manipulation overrides documented access controls. The MCP server connects AI agents to Kubernetes cluster APIs; once safety environment variable restrictions are bypassed, an agent can issue arbitrary kubectl commands including destructive or privilege-escalating operations.
Affected systems
Flux159/mcp-server-kubernetes versions prior to v3.6.0 (CVE-2026-46519) and prior to v3.7.0 (CVE-2026-47250). The server is a widely-used MCP integration for giving AI coding agents and autonomous agents access to Kubernetes cluster management.
Mitigation
Upgrade to mcp-server-kubernetes v3.7.0 (addresses both CVEs). Audit all running mcp-server-kubernetes instances for the environment variable configuration. Apply network-level controls so the MCP server is not accessible beyond the intended agent runtime. Review agent permissions and enforce least-privilege Kubernetes RBAC independently of the MCP server's own access controls.