How is CVE-2026-46519 exploited?

Network reachability (required): The MCP server is exposed over the network, so an attacker must be able to reach it remotely to issue tool-call requests. Authentication (required): Any low-privilege account is sufficient; the attacker only needs credentials valid enough to interact with the MCP server, not administrative access. Victim interaction (not-required): No victim action is needed; the attacker calls restricted tools directly without any user involvement. Attack complexity (info): Exploitation is reliable and condition-free: knowing a restricted tool name is enough to invoke it, with no race conditions or special environmental setup required.

What is the impact of CVE-2026-46519?

Reads any Kubernetes resource in the cluster, including secrets, config maps, and service account tokens. Writes or modifies Kubernetes resources, including deploying arbitrary workloads or altering existing deployments. Deletes cluster resources, disrupting running services and causing workload outages.

Back to search

HIGHCVE-2026-46519Published 2026-06-11Modified 2026-06-11CNA GitHub_M

CVE-2026-46519: mcp-server-kubernetes Affected By Tool Access Control Bypass: Presentation-Layer Filtering Without Execution-Layer Enforcement

mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.6.0, mcp-server-kubernetes exposes three environment variables (ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, ALLOWED_TOOLS) documented as access controls for restricting which Kubernetes operations are available. These controls are enforced at the tool discovery layer (tools/list) but not at the execution layer (tools/call). Any client that knows a tool name can invoke it directly regardless of the configured restriction mode. The access control was effectively cosmetic. This issue has been patched in version 3.6.0.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an access control bypass in mcp-server-kubernetes, a Model Context Protocol server used to manage Kubernetes clusters. The three environment variables documented as tool-access restrictions (ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, ALLOWED_TOOLS) are enforced only when a client lists available tools, not when a client actually calls a tool by name. A network-accessible attacker with any valid low-privilege account can invoke restricted Kubernetes operations directly, bypassing the intended restrictions entirely and gaining full read, write, and availability impact over cluster resources. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as a fix version is published upstream.

HarborGuard Coverage

Detection

Detection of CVE-2026-46519 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle mcp-server-kubernetes, in both registry scans and CI pipeline checks.

Available

Triage

HarborGuard scores this CVE at CVSS 8.8 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing, surfacing findings to the team inbox or ticketing integration configured for the affected workload.

Available

Patch

Because no fix version has been published upstream for this CVE, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment the upstream fix ships. In the interim, compensating controls such as network-policy isolation of the mcp-server-kubernetes service and egress filtering can be flagged through HarborGuard's policy recommendation flow.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The MCP server is exposed over the network, so an attacker must be able to reach it remotely to issue tool-call requests.
AuthenticationRequired
Any low-privilege account is sufficient; the attacker only needs credentials valid enough to interact with the MCP server, not administrative access.
Victim interactionNot required
No victim action is needed; the attacker calls restricted tools directly without any user involvement.
Attack complexityDetail
Exploitation is reliable and condition-free: knowing a restricted tool name is enough to invoke it, with no race conditions or special environmental setup required.

Blast Radius

Reads any Kubernetes resource in the cluster, including secrets, config maps, and service account tokens.
Writes or modifies Kubernetes resources, including deploying arbitrary workloads or altering existing deployments.
Deletes cluster resources, disrupting running services and causing workload outages.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix version exists for CVE-2026-46519 at this time, HarborGuard continuously re-checks the advisory each ingest cycle and will automatically make a patched-image rebuild available the moment the upstream maintainer publishes a fixed release. While no patch is available, customers can apply compensating controls through HarborGuard's policy recommendation flow: network-policy isolation to restrict which clients can reach the mcp-server-kubernetes service, egress filtering to limit what the server can reach within the cluster, and feature-flag or environment-variable audits to confirm that access-control variables are not being treated as a security boundary. For customers who opt into auto-remediation, a rebuild, regression-test run, and PR against affected workloads will be triggered automatically once a fix version is published.

See how HarborGuard automates this

Affected packages

Flux159 / mcp-server-kubernetes
< 3.6.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified