Argument Injection Vulnerability in mcp-server-kubernetes by Flux159
CVE-2026-39884

8.3HIGH

Key Information:

Vendor: Flux159
Status: Mcp-server-kubernetes
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-39884?

The mcp-server-kubernetes tool has a significant argument injection vulnerability in its port_forward tool, affecting versions 3.4.0 and earlier. This vulnerability arises from constructing kubectl commands through string concatenation, which fails to securely handle user-supplied input. It leads to improper argument boundaries, permitting attackers to inject malicious kubectl flags. Exploiting this flaw can expose internal Kubernetes services publicly, facilitate cross-namespace access, and enable indirect threats to AI systems connected to the server. The issue has been addressed in version 3.5.0.

Affected Version(s)

mcp-server-kubernetes < 3.5.0

References

https://github.com/Flux159/mcp-server-kubernetes/security...

x_refsource_CONFIRM

https://github.com/Flux159/mcp-server-kubernetes/releases...

x_refsource_MISC

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Apr 7, 2026

CVE-2026-39884 Data

JSON