🚨 NeuralTrust recognized by Gartner
Runtime Security (GAF)
Prompt GuardProtect and moderate your GenAI applications
Behavioral Threat DetectionDetect behavioral threats across GenAI workflows
Bot DetectionBlock scrapers and synthetic users in real time
Sensitive Data MaskingMask PII and sensitive data automatically
Moderation & Policy EngineEnforce custom policies across GenAI systems
AI GatewayUnify and control your GenAI infrastructure
AI Agent Security
Guardian AgentsA force of security agents to control Al agents actions
Agent Security PostureContinuous discovery & monitoring of agents and tools
MCP GatewayControl which tools and data agents can access
MCP ScannerScan and test MCP code for vulnerabilities in your CI/CD
Threat & Risk Detection
Red TeamingSimulate adversaries and stress test defenses
Alerting & MonitoringGet real-time alerts on GenAI behavior
Model Code ScannerDetect vulnerabilities in model-side code
Tracing & AnalyticsTrace GenAI behavior across full workflows
Shadow AIStop confidential data from
reaching unsanctioned AI
Resources
Resources center
Guides
Blog
Newsletter
Developers
Documentation
Company
About us
Partners
Careers
News
Contact
Social media
Sign inGet a demo
Back
CVE-2026-46519: Why Your Kubernetes MCP Server May Be Open to Attack

CVE-2026-46519: Why Your Kubernetes MCP Server May Be Open to Attack

Alessandro Pignati • May 19, 2026

Recent findings by security researchers have unveiled a significant access control bypass, identified as CVE-2026-46519, within the mcp-server-kubernetes project. This vulnerability carries a high severity rating with a CVSS score of 8.8, underscoring its potential impact on affected systems.

This flaw is particularly concerning given the widespread adoption of mcp-server-kubernetes. This project serves as a crucial bridge, enabling AI agents to directly interact with Kubernetes clusters. With over 20,000 weekly downloads on npm and 1.4K stars on GitHub, it represents a substantial piece of infrastructure that numerous organizations rely on to integrate AI capabilities into their Kubernetes environments.

The fundamental issue lies in the bypass of security controls designed to restrict AI agents to specific actions, such as performing only "read-only" or "non-destructive" operations. Despite configurations intended to limit an agent's capabilities, this vulnerability allows for these restrictions to be circumvented, enabling the agent to execute commands beyond its authorized scope.

Discovery vs. Execution

The vulnerability stems from a fundamental disconnect between how the server advertises its capabilities and how it actually executes them. In mcp-server-kubernetes, operators can use environment variables to enforce least privilege. For instance, setting ALLOW_ONLY_READONLY_TOOLS=true is intended to restrict the agent to read operations, while ALLOWED_TOOLS can be used to specify an explicit allowlist of permitted tool names.

These controls, however, are only enforced at the discovery layer. When an AI agent or client requests a list of available tools via the tools/list method, the server correctly filters the response based on the environment variables. A "read-only" agent will only see tools like kubectl_get or kubectl_describe in its list of options.

The critical failure occurs at the execution layer. The tools/call handler, which is responsible for actually running the requested tool, lacks the corresponding checks. It does not verify if the tool being called is part of the allowed set or if it violates the "read-only" policy. Consequently, any client that knows the name of a restricted tool, which are publicly documented in the project's README, can invoke it directly by sending a targeted request to the tools/call endpoint.

Control MechanismEnforced in tools/list (Discovery)Enforced in tools/call (Execution)
ALLOW_ONLY_READONLY_TOOLSYesNo
ALLOW_ONLY_NON_DESTRUCTIVE_TOOLSYesNo
ALLOWED_TOOLSYesNo

This discrepancy means that the security boundaries are purely cosmetic. They hide the "buttons" from the user interface but leave the underlying "wiring" fully accessible to anyone who knows where to look.


From Read-Only to Cluster Takeover

To understand the practical implications of this bypass, consider a scenario where an operator deploys the MCP server with ALLOW_ONLY_READONLY_TOOLS=true. The operator believes that any agent or client connecting to this endpoint is strictly limited to viewing resources and cannot modify the cluster state.

When the agent queries the server for its capabilities, it receives a list of eight read-only tools. A destructive tool like kubectl_delete is conspicuously absent from this list, reinforcing the operator's false sense of security. However, an attacker or a malicious client can simply ignore the provided list and send a direct request to the server to delete a resource.

For example, a simple curl command can be used to bypass the intended restriction:

Copied!

The server, failing to validate the request against its "read-only" policy, will execute the command and return a success message, confirming that the pod has been deleted. This demonstration proves that the "read-only" safety net is entirely ineffective in vulnerable versions of the server. The restriction only affects what is shown to the client, not what the server is willing to do.

The Criticality of Service Account Privileges

The ultimate impact of this bypass is heavily dependent on the permissions granted to the Kubernetes Service Account that the MCP server uses to interact with the cluster. While the vulnerability allows a client to bypass the server's internal restrictions, it cannot grant the server itself more permissions than it already has within Kubernetes.

In many development or staging environments, it is common to see the MCP server running with cluster-admin privileges for convenience. In such a configuration, the bypass is catastrophic. An attacker who can reach the HTTP endpoint effectively gains full control over the entire cluster, as they can invoke any tool that the cluster-admin account is authorized to use. This includes deleting namespaces, modifying deployments, or even exfiltrating sensitive data from secrets.

This vulnerability serves as a stark reminder of the Principle of Least Privilege. Kubernetes Role-Based Access Control (RBAC) should always be the final line of defense. Even if an application-level control like a "read-only mode" fails, the underlying service account should only have the minimum set of permissions required for its intended function. If an agent only needs to monitor pods, its service account should not have the authority to delete them, regardless of what the MCP server's configuration might suggest.

Remediation and Best Practices for MCP Security

The most immediate and critical step for any organization using mcp-server-kubernetes is to update to version 3.6.0 or later. This version introduces the necessary checks at the execution layer, ensuring that the tools/call handler respects the same restrictions as the tools/list method. If you are running an earlier version, your cluster is potentially at risk, and you should prioritize this update immediately.

Beyond this specific fix, the discovery of CVE-2026-46519 offers broader lessons for the security of AI agentic systems. Developers of such tools must adopt a "trust nothing" approach. Every incoming request, even from an authenticated client, must be treated as potentially malicious. Security controls should never be implemented solely at the presentation or discovery layer; they must be enforced at the point of execution to be effective.

For operators deploying MCP servers, a defense-in-depth strategy is essential. This includes:

  • Network Isolation: Ensure that the MCP server endpoint is not exposed to the public internet and is only accessible from trusted networks or via secure tunnels.
  • Robust Authentication: Use strong authentication mechanisms, such as the MCP_AUTH_TOKEN supported by the project, to control who can reach the server in the first place.
  • Granular RBAC: As discussed, always use the most restrictive Kubernetes Service Account possible. An AI agent should only have the permissions it absolutely needs to perform its tasks.

By combining timely updates with rigorous infrastructure-level security, organizations can safely leverage the power of AI agents while maintaining the integrity of their Kubernetes clusters.


Related posts

See all
The Claude Code RCE: When Eager Parsing Leads to Remote Execution
Alessandro Pignati • May 18, 2026
The Claude Code RCE: When Eager Parsing Leads to Remote Execution
Read more
Securing the Agentic Payment Layer
Alessandro Pignati • May 13, 2026
Securing the Agentic Payment Layer
Read more
OpenAI Daybreak: The Dawn of Agentic Cybersecurity
Alessandro Pignati • May 12, 2026
OpenAI Daybreak: The Dawn of Agentic Cybersecurity
Read more