38 matches found
GHSA-Q4H4-GMJ2-QVW2 vulnerabilities
Vulnerabilities for packages: guac, crossplane-provider-aws-memorydb, glab, crossplane-provider-keycloak, crossplane-provider-azure-storage, crossplane-provider-aws-iam, tflint, terraform-provider-tls, cluster-api-azure-controller, ko, crossplane-provider-family-aws, step, opentelemetry-collector...
Incorrect Authorization
Overview mcp-server-kubernetes is a MCP server for interacting with Kubernetes clusters via kubectl Affected versions of this package are vulnerable to Incorrect Authorization through the CallTool handler in src/index.ts. An attacker can invoke disallowed Kubernetes tools and perform destructive...
MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement
Summary mcp-server-kubernetes exposes three environment variables ALLOWONLYREADONLYTOOLS, ALLOWONLYNONDESTRUCTIVETOOLS, ALLOWEDTOOLS documented as access controls for restricting which Kubernetes operations are available. These controls are enforced at the tool discovery layer tools/list but not ...
GHSA-CR22-WJX7-2W6M MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement
Summary mcp-server-kubernetes exposes three environment variables ALLOWONLYREADONLYTOOLS, ALLOWONLYNONDESTRUCTIVETOOLS, ALLOWEDTOOLS documented as access controls for restricting which Kubernetes operations are available. These controls are enforced at the tool discovery layer tools/list but not ...
PT-2026-42619
Summary mcp-server-kubernetes exposes three environment variables ALLOW ONLY READONLY TOOLS, ALLOW ONLY NON DESTRUCTIVE TOOLS, ALLOWED TOOLS documented as access controls for restricting which Kubernetes operations are available. These controls are enforced at the tool discovery layer tools/list...
CVE-2026-35469 vulnerabilities
Vulnerabilities for packages: postgres-operator-fips, gitlab-runner-fips, cloudnative-pg-fips, gitlab-kas-fips, plugin-barman-cloud-fips, zarf-fips, argo-cd, sonobuoy, argo-rollouts, envoy-gateway, longhorn-cli, rancher-agent, emissary, kube-arangodb, k9s, kpt, kiali, argo-workflows, kcp-fips-0.2...
GHSA-GJVH-7JH8-7XHM vulnerabilities
Vulnerabilities for packages: kpt, prometheus-blackbox-exporter, aws-efs-csi-driver, dbmate, grafana-agent-operator, manifest-tool, ko, knative-eventing, terraform-provider-pagerduty, kubernetes-csi-node-driver-registrar, maru, php-fpmexporter, influx, pgpool2exporter, go,...
GHSA-5W89-2C2X-6X66 vulnerabilities
Vulnerabilities for packages: kpt, prometheus-blackbox-exporter, aws-efs-csi-driver, dbmate, grafana-agent-operator, manifest-tool, ko, knative-eventing, terraform-provider-pagerduty, kubernetes-csi-node-driver-registrar, maru, php-fpmexporter, influx, pgpool2exporter, go, wazero, howdy-yall,...
CVE-2026-33762 vulnerabilities
Vulnerabilities for packages: flux, guac, bom, teleport, pulumi-language-dotnet, grafana, pulumi-kubernetes-operator, k9s, argocd-image-updater, argo-cd, scorecard, syft, zarf, tfsec, trivy-operator, external-secrets-operator, skaffold, trivy, flux-image-automation-controller, grafana-alloy,...
CVE-2026-27139 vulnerabilities
Vulnerabilities for packages: jaeger, nats, tfsec, tempo-fips, quic-go-fips, net-kourier, gitlab-kas-fips, tofu-controller-fips, dapr-fips, plugin-barman-cloud-fips, pluto, packer, databricks-cli-fips, aws-load-balancer-controller-fips, kubernetes-csi-external-attacher-fips, thanos-operator-fips,...
CVE-2025-61727 vulnerabilities
Vulnerabilities for packages: quic-go-fips, gitlab-kas-fips, plugin-barman-cloud-fips, pluto, aws-load-balancer-controller-fips, kubernetes-csi-external-attacher-fips, beats, k6-fips, ipfs-cluster, pulumi-kubernetes-operator, cluster-api-gcp-controller-fips, wave-fips, trillian-fips, spqr,...
CVE-2025-58187 vulnerabilities
Vulnerabilities for packages: kpt, guac, prometheus-blackbox-exporter, dbmate, grafana-agent-operator, cluster-api-gcp-controller, manifest-tool, ko, knative-eventing, kubernetes-csi-node-driver-registrar, maru, cert-manager-webhook-pdns, php-fpmexporter, pgpool2exporter, kube-vip-cloud-provider,...
EUVD-2021-15127
Malware in sbrugna...
EUVD-2021-18811
Malware in sbrugna...
Malicious code in vscode-kubernetes-tools (npm)
The package communicates with a domain associated with malicious activity...
MAL-2025-6779 Malicious code in vscode-kubernetes-tools (npm)
The package communicates with a domain associated with malicious activity...
GHSA-GJV4-GHM7-Q58Q MCP Server Kubernetes vulnerable to command injection in several tools
Summary A command injection vulnerability exists in the mcp-server-kubernetes MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to childprocess.execSync, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to...
GHSA-6F52-WPX2-HVF2 vulnerabilities
Vulnerabilities for packages: jaeger, nats, fixuid, dapr-fips, pluto, thanos-operator-fips, aws-load-balancer-controller-fips, kubernetes-csi-external-attacher-fips, aws-application-networking-k8s, fq, kubernetes-dashboard-fips, vault-k8s, beats, cloud-sql-proxy, hubble-ui, flux-helm-controller,...
CVE-2024-45338 vulnerabilities
Vulnerabilities for packages: kpt, guac, prometheus-blackbox-exporter, aws-efs-csi-driver, crossplane-provider-aws-memorydb, dbmate, grafana-agent-operator, ko, terraform-provider-pagerduty, rabbitmq-cluster-operator, cert-manager-webhook-pdns, tekton-chains, aws-load-balancer-controller,...
Malicious code in k8s-tools (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1ccbda1c33a268bb1641ff4dc9ed60a84c28d96d167768dc09e6258fb96d697c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...