CVE-2026-39884: Argument Injection in mcp-server-kubernetes

Note

TL;DR: The mcp-server-kubernetes plugin for Model Context Protocol (MCP) versions 3.4.0 and prior is vulnerable to argument injection due to improper input sanitization in the port_forward tool.

Executive Summary (Executive Summary)

The mcp-server-kubernetes project, a tool designed for managing Kubernetes clusters via the Model Context Protocol, contains a critical argument injection vulnerability identified as CVE-2026-39884. By exploiting the lack of input validation in the port_forward function, an unauthenticated attacker or a compromised AI agent can influence the construction of kubectl commands. This results in potential exposure of internal services to the public network or cross-namespace unauthorized access.

Technical Analysis

The vulnerability is located in src/tools/port_forward.ts. The port_forward function constructs command-line arguments for the kubectl utility using string concatenation based on user-supplied parameters: namespace, resourceType, resourceName, localPort, and targetPort.

Instead of utilizing an array-based argument passing mechanism like execFileSync, which would treat the entire input string as a single argument value, the code naively splits the concatenated string by spaces. Consequently, an attacker providing input containing spaces can inject additional command-line flags.

Exploitation Flow

An attacker can manipulate the input to append malicious flags.

1. Identify the input fields handled by port_forward.
2. Construct a payload that includes spaces and flag arguments (e.g., --address=0.0.0.0 or additional -n flags).
3. Execute the tool via the MCP server interface.
4. The server inadvertently processes the injected flags when spawning the kubectl process.

Detection

Organizations can detect exploitation attempts by monitoring command execution logs for anomalous kubectl flags.

Sigma Rule

title: MCP Server Kubernetes Argument Injection
status: experimental
description: Detects potential argument injection attempts against port_forward tool.
logsource:
    product: kubernetes
    category: application
detection:
    selection:
        command|contains:
            - "kubectl"
            - "port-forward"
        args|contains:
            - "--address=0.0.0.0"
            - "-n"
    condition: selection
priority: high

Threat Hunting (Splunk)

index=k8s_logs sourcetype=mcp_server
| search command="kubectl" AND args="*--address=0.0.0.0*" OR args="*-n*"
| stats count by user, src_ip, dest_namespace

Mitigation

Upgrade mcp-server-kubernetes to version 3.5.0 immediately. This version remedies the vulnerability by utilizing secure array-based argument passing instead of space-delimited string concatenation.

Sources

• https://nvd.nist.gov/vuln/detail/CVE-2026-39884
• https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-4xqg-gf5c-ghwq