VYPR
← All advisories
High severity8.8GHSA Advisory· Published May 21, 2026

MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement

CVE-2026-46519

Description

Summary

mcp-server-kubernetes exposes three environment variables (ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, ALLOWED_TOOLS) documented as access controls for restricting which Kubernetes operations are available. These controls are enforced at the tool discovery layer (tools/list) but not at the execution layer (tools/call). Any client that knows a tool name can invoke it directly regardless of the configured restriction mode. The access control was effectively cosmetic.

Fixed in v3.6.0.

Impact

An attacker or misconfigured AI agent with network access to the MCP server's HTTP endpoint could invoke any Kubernetes tool regardless of the restriction mode configured by the operator -- including kubectl_delete, exec_in_pod, kubectl_generic, and node_management.

The project explicitly supports and documents multi-client HTTP deployment scenarios (Streamable HTTP and SSE transports, in-cluster deployments, Codex CLI and Gemini CLI integrations). In these deployments, operators relied on the tool restriction env vars to enforce least-privilege access across users or roles. The bypass invalidated that model entirely.

Severity scales with the Kubernetes service account's permissions. In environments where the MCP server runs with cluster-admin (common in dev/staging), this is equivalent to full cluster compromise for any client that can reach the endpoint.

The MCP_AUTH_TOKEN / X-MCP-AUTH mechanism controls who can reach the endpoint but provides no per-tool authorization. An authenticated client restricted to ALLOWED_TOOLS=kubectl_get could still invoke kubectl_delete after authentication.

Root

Cause

In src/index.ts, the ListToolsRequestSchema handler applied the configured filtering logic before returning available tools. The CallToolRequestSchema handler dispatched directly by tool name with no equivalent check -- every tool was reachable unconditionally.

Proof of

Concept

Tested across all three restriction modes against a live kind cluster. In each case, kubectl_delete was absent from tools/list but executed successfully via a direct tools/call request:

curl -s http://:3003/mcp \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json, text/event-stream' \
  -d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"kubectl_delete","arguments":{"resourceType":"pod","name":"test-pod","namespace":"default"}}}'

Result: {"result":{"content":[{"type":"text","text":"pod \"test-pod\" deleted\n"}]}}

Confirmed across ALLOW_ONLY_READONLY_TOOLS=true, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS=true, and ALLOWED_TOOLS=kubectl_get.

Remediation

The fix applies the same filtering logic from ListToolsRequestSchema at the start of the CallToolRequestSchema handler, returning an error for any tool call outside the active allowed set. Fixed in v3.6.0.

Credit

Discovered by Francisco Rosales of Manifold Security, coordinated by Ax Sharma, Head of Research at Manifold Security.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Access control bypass in mcp-server-kubernetes allows any client to invoke restricted Kubernetes tools by directly calling the execution endpoint.

Vulnerability

The mcp-server-kubernetes package implements three environment variables (ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, ALLOWED_TOOLS) intended to restrict which Kubernetes operations a client can perform. However, these restrictions are only enforced at the tool discovery layer (tools/list) and not at the execution layer (tools/call). In src/index.ts, the ListToolsRequestSchema handler filters the available tools, but the CallToolRequestSchema handler dispatches directly by tool name without any equivalent check, making every tool reachable unconditionally [1][2].

Exploitation

An attacker or misconfigured AI agent with network access to the MCP server's HTTP endpoint can invoke any Kubernetes tool by simply knowing its name, regardless of the configured restriction mode. The project supports multi-client HTTP deployments (Streamable HTTP, SSE, in-cluster, Codex CLI, Gemini CLI), where operators relied on these environment variables for least-privilege access. The MCP_AUTH_TOKEN / X-MCP-AUTH mechanism controls endpoint access but provides no per-tool authorization, so an authenticated client restricted to ALLOWED_TOOLS=kubectl_get could still invoke kubectl_delete after authentication [1][2].

Impact

A successful bypass allows invocation of destructive tools such as kubectl_delete, exec_in_pod, kubectl_generic, and node_management. The severity scales with the Kubernetes service account's permissions; in environments where the MCP server runs with cluster-admin (common in dev/staging), this is equivalent to full cluster compromise for any client that can reach the endpoint [1][2].

Mitigation

The issue is fixed in version 3.6.0. Operators should upgrade immediately and ensure that the MCP server is not exposed to untrusted networks without additional authentication layers [1][2].

References
  1. CVE-2026-46519 - GitHub Advisory Database
  2. Tool Access Control Bypass: Presentation-Layer Filtering Without Execution-Layer Enforcement

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.