Home / Vulnerability Intelligence / CVE-2026-39884

CVE-2026-39884 - Vulnerability Analysis

HighCVSS: 8.3

Last Updated: April 15, 2026

mcp-server-kubernetes - Command Injection

Published: April 15, 2026Updated: April 15, 2026Remote Exploitable

Overview

mcp-server-kubernetes <= 3.4.0 contains a command injection caused by unsafe string concatenation of user-controlled input in port_forward tool, letting attackers inject arbitrary kubectl flags to expose internal services and cross namespaces, exploit requires attacker to control input fields.

Severity & Score

Severity: High

CVSS Score: 8.3

Impact

Attackers can inject arbitrary kubectl flags to expose internal services and perform cross-namespace actions, potentially compromising cluster security.

Mitigation

Update to version 3.5.0 or later.

References

https://github.com/Flux159/mcp-server-kubernetes/releases/tag/v3.5.0
https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-4xqg-gf5c-ghwq

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-39884
Severity: High
CVSS Score: 8.3
Type: command_injection
Status: new

CWE

CWE-88

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L