PatchSiren cyber security CVE debrief
CVE-2026-47250 Flux159 CVE debrief
CVE-2026-47250 is a medium-severity vulnerability in mcp-server-kubernetes, a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.7.0, the kubectl_generic tool passes user-supplied flags directly to kubectl without any allowlist, enabling a privilege escalation attack within Kubernetes environments. An attacker with limited cluster or codebase access can plant a structured JSON line in an application's log output. When an operator with a privileged kubeconfig uses the MCP server to read those logs, kubectl_generic is called with malicious flags, sending API requests to the attacker's endpoint. The captured token can then be replayed against the real Kubernetes API server, granting the attacker full RBAC permissions of the operator's service account. This issue has been patched in version 3.7.0.
- Vendor
- Flux159
- Product
- mcp-server-kubernetes
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of mcp-server-kubernetes prior to version 3.7.0, Kubernetes administrators, and security teams responsible for monitoring and mitigating vulnerabilities in Kubernetes environments.
Technical summary
The vulnerability exists in the kubectl_generic tool of mcp-server-kubernetes. It passes user-supplied flags directly to kubectl without validation, allowing an attacker to inject malicious flags. This can lead to a privilege escalation attack where an attacker captures a privileged token and uses it to gain full RBAC permissions of an operator's service account.
Defensive priority
High
Recommended defensive actions
- Upgrade mcp-server-kubernetes to version 3.7.0 or later.
- Restrict access to the MCP server to only trusted users and services.
- Monitor Kubernetes logs for suspicious activity.
- Implement additional security measures such as network policies and RBAC controls.
Evidence notes
The vulnerability was patched in version 3.7.0 of mcp-server-kubernetes. References to the patched version and security advisory can be found at [ref-4](https://github.com/Flux159/mcp-server-kubernetes/releases/tag/v3.7.0) and [ref-5](https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-6mx4-4h42-r8vh).
Official resources
CVE-2026-47250 was published on 2026-06-11T19:16:46.770Z and modified on 2026-06-11T21:01:26.377Z.