When AI Take the Wheel: Command Injection in Kubernetes MCP Server
Jan 1, 2026·5 min read·10 visits
Executive Summary (TL;DR)
The mcp-server-kubernetes package trusted user input blindly, passing it directly into `child_process.execSync`. This allowed attackers to inject shell metacharacters through parameters like 'namespace', turning a helpful Kubernetes management tool into a remote shell for the host machine. Fixed in version 2.5.0.
A critical Remote Code Execution (RCE) vulnerability in the mcp-server-kubernetes implementation allows attackers to execute arbitrary shell commands via malicious Model Context Protocol (MCP) tool parameters. By tricking an LLM into processing a crafted prompt, an attacker can pivot from natural language to root access.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
mcp-server-kubernetes Flux159 | < 2.5.0 | 2.5.0 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-78 (OS Command Injection) |
| CVSS Score | 7.5 (High) |
| Attack Vector | Network (via LLM Prompt Injection) |
| Platform | Node.js / Kubernetes |
| Vulnerable Function | child_process.execSync |
MITRE ATT&CK Mapping
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.