{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39884", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T20:32:03.010Z", "datePublished": "2026-04-14T23:25:59.780Z", "dateUpdated": "2026-04-15T16:13:59.605Z"}, "containers": {"cna": {"title": "MCP Server Kubernetes has Argument Injection in its port_forward tool via space-splitting", "problemTypes": [{"descriptions": [{"cweId": "CWE-88", "lang": "en", "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-4xqg-gf5c-ghwq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-4xqg-gf5c-ghwq"}, {"name": "https://github.com/Flux159/mcp-server-kubernetes/releases/tag/v3.5.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/Flux159/mcp-server-kubernetes/releases/tag/v3.5.0"}], "affected": [{"vendor": "Flux159", "product": "mcp-server-kubernetes", "versions": [{"version": "< 3.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T23:26:27.006Z"}, "descriptions": [{"lang": "en", "value": "mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Versions 3.4.0 and prior contain an argument injection vulnerability in the port_forward tool in src/tools/port_forward.ts, where a kubectl command is constructed via string concatenation with user-controlled input and then naively split on spaces before being passed to spawn(). Unlike all other tools in the codebase which correctly use array-based argument passing with execFileSync(), port_forward treats every space in user-controlled fields (namespace, resourceType, resourceName, localPort, targetPort) as an argument boundary, allowing an attacker to inject arbitrary kubectl flags. This enables exposure of internal Kubernetes services to the network by injecting --address=0.0.0.0, cross-namespace targeting by injecting additional -n flags, and indirect exploitation via prompt injection against AI agents connected to the MCP server. This issue has been fixed in version 3.5.0."}], "source": {"advisory": "GHSA-4xqg-gf5c-ghwq", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-4xqg-gf5c-ghwq", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T16:04:43.245323Z", "id": "CVE-2026-39884", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T16:13:59.605Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39884", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-15T16:04:43.245323Z"}}}], "references": [{"url": "https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-4xqg-gf5c-ghwq", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T16:04:59.413Z"}}], "cna": {"title": "MCP Server Kubernetes has Argument Injection in its port_forward tool via space-splitting", "source": {"advisory": "GHSA-4xqg-gf5c-ghwq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Flux159", "product": "mcp-server-kubernetes", "versions": [{"status": "affected", "version": "< 3.5.0"}]}], "references": [{"url": "https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-4xqg-gf5c-ghwq", "name": "https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-4xqg-gf5c-ghwq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Flux159/mcp-server-kubernetes/releases/tag/v3.5.0", "name": "https://github.com/Flux159/mcp-server-kubernetes/releases/tag/v3.5.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Versions 3.4.0 and prior contain an argument injection vulnerability in the port_forward tool in src/tools/port_forward.ts, where a kubectl command is constructed via string concatenation with user-controlled input and then naively split on spaces before being passed to spawn(). Unlike all other tools in the codebase which correctly use array-based argument passing with execFileSync(), port_forward treats every space in user-controlled fields (namespace, resourceType, resourceName, localPort, targetPort) as an argument boundary, allowing an attacker to inject arbitrary kubectl flags. This enables exposure of internal Kubernetes services to the network by injecting --address=0.0.0.0, cross-namespace targeting by injecting additional -n flags, and indirect exploitation via prompt injection against AI agents connected to the MCP server. This issue has been fixed in version 3.5.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-88", "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T23:26:27.006Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39884", "state": "PUBLISHED", "dateUpdated": "2026-04-15T16:13:59.605Z", "dateReserved": "2026-04-07T20:32:03.010Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-14T23:25:59.780Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:suyogs:mcp-server-kubernetes:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "D320AE00-0F25-4DFC-B553-81EF15C5BBC5", "versionEndExcluding": "3.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Versions 3.4.0 and prior contain an argument injection vulnerability in the port_forward tool in src/tools/port_forward.ts, where a kubectl command is constructed via string concatenation with user-controlled input and then naively split on spaces before being passed to spawn(). Unlike all other tools in the codebase which correctly use array-based argument passing with execFileSync(), port_forward treats every space in user-controlled fields (namespace, resourceType, resourceName, localPort, targetPort) as an argument boundary, allowing an attacker to inject arbitrary kubectl flags. This enables exposure of internal Kubernetes services to the network by injecting --address=0.0.0.0, cross-namespace targeting by injecting additional -n flags, and indirect exploitation via prompt injection against AI agents connected to the MCP server. This issue has been fixed in version 3.5.0."}], "id": "CVE-2026-39884", "lastModified": "2026-04-23T17:22:46.267", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-15T04:17:37.097", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/Flux159/mcp-server-kubernetes/releases/tag/v3.5.0"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-4xqg-gf5c-ghwq"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-4xqg-gf5c-ghwq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-88"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.5.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "mcp-server-kubernetes", "source": "cna", "vendor": "Flux159"}, "product": "mcp-server-kubernetes", "vendor": "flux159"}], "analysis": {"en": {"generated_at": "2026-04-15T00:20:58.926216+00:00", "value": {"mitigation_remediation": ["Upgrade mcp-server-kubernetes to version 3.5.0 or newer.", "If an upgrade is not immediately possible, restrict access to the port_forward endpoint so that only trusted administrators can invoke it.", "Validate all user input for namespace, resourceType, resourceName, localPort, and targetPort prior to constructing the kubectl command, rejecting any arguments that contain spaces or disallowed characters."], "summary": {"action": "Patch", "impact": "Exposure of Internal Kubernetes Services"}, "threat_synthesis": {"affected_systems": "The affected product is Flux159's mcp-server-kubernetes. Versions 3.4.0 and earlier are vulnerable, as indicated by the advisory. A patch in version 3.5.0 addresses the flaw.", "description_and_impact": "The vulnerability is an argument injection flaw in the port_forward tool of mcp-server-kubernetes. The code builds a kubectl command using string concatenation with user-supplied fields and naively splits the resulting string on spaces before passing it to spawn(). Each user-controlled space is treated as an argument boundary, allowing an attacker to inject arbitrary kubectl flags. This enables exposure of internal Kubernetes services to the network, cross-namespace targeting by injecting additional -n flags, and potential indirect exploitation via prompt injection against AI agents connected to the MCP server. The weakness is identified as CWE\u201188 (Argument Injection).", "risk_and_exploitability": "The CVSS score of 8.3 marks this as high. The EPSS score is not available, but the advisory notes that the issue can be exploited by supplying crafted arguments to the port_forward tool, which may be remotely accessible or available to privileged users. The vulnerability is not currently listed in the CISA KEV catalog, and no public exploit has been reported. Attackers would need to target the MCP server\u2019s port_forward endpoint and provide malicious input; if the endpoint is exposed to untrusted users, the risk of internal service exposure is significant."}}}}, "created": "2026-04-15T13:48:23.611838+00:00", "updated": "2026-04-15T14:28:41.085067+00:00", "vendors": ["flux159", "flux159$PRODUCT$mcp-server-kubernetes"]}