CVE-2026-39884: CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') in Flux159 mcp-server-kubernetes
CVE-2026-39884 is an argument injection vulnerability in the Flux159 mcp-server-kubernetes product versions prior to 3. 5. 0. The vulnerability exists in the port_forward tool, where user-controlled input is concatenated into a kubectl command string and split on spaces before execution, allowing injection of arbitrary kubectl flags. This can lead to exposure of internal Kubernetes services, cross-namespace access, and indirect exploitation via prompt injection against AI agents connected to the MCP server. The issue has been fixed in version 3. 5. 0.
AI Analysis
Technical Summary
The vulnerability arises from improper neutralization of argument delimiters (CWE-88) in the port_forward tool of mcp-server-kubernetes. Specifically, user input fields such as namespace, resourceType, resourceName, localPort, and targetPort are concatenated into a command string and split on spaces before being passed to spawn(), unlike other tools that use array-based argument passing with execFileSync(). This flawed handling allows attackers to inject additional kubectl flags, enabling unauthorized exposure of internal services, cross-namespace targeting, and potential prompt injection attacks on AI agents. The vulnerability affects versions 3.4.0 and earlier and was addressed in version 3.5.0.
Potential Impact
Successful exploitation can lead to unauthorized exposure of internal Kubernetes services to the network by injecting flags like --address=0.0.0.0, unauthorized cross-namespace access by injecting additional -n flags, and indirect exploitation through prompt injection against AI agents connected to the MCP server. The CVSS v3.1 score is 8.3 (high), indicating high confidentiality and integrity impact with low attack complexity and no user interaction required.
Mitigation Recommendations
A fix for this vulnerability is available in mcp-server-kubernetes version 3.5.0. Users should upgrade to version 3.5.0 or later to remediate this issue. Patch status is not explicitly stated beyond the fix in 3.5.0, so users should refer to the vendor's official release notes or advisories for confirmation and detailed upgrade instructions.
CVE-2026-39884: CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') in Flux159 mcp-server-kubernetes
Description
CVE-2026-39884 is an argument injection vulnerability in the Flux159 mcp-server-kubernetes product versions prior to 3. 5. 0. The vulnerability exists in the port_forward tool, where user-controlled input is concatenated into a kubectl command string and split on spaces before execution, allowing injection of arbitrary kubectl flags. This can lead to exposure of internal Kubernetes services, cross-namespace access, and indirect exploitation via prompt injection against AI agents connected to the MCP server. The issue has been fixed in version 3. 5. 0.
CVSS v3.1
Score 8.3high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises from improper neutralization of argument delimiters (CWE-88) in the port_forward tool of mcp-server-kubernetes. Specifically, user input fields such as namespace, resourceType, resourceName, localPort, and targetPort are concatenated into a command string and split on spaces before being passed to spawn(), unlike other tools that use array-based argument passing with execFileSync(). This flawed handling allows attackers to inject additional kubectl flags, enabling unauthorized exposure of internal services, cross-namespace targeting, and potential prompt injection attacks on AI agents. The vulnerability affects versions 3.4.0 and earlier and was addressed in version 3.5.0.
Potential Impact
Successful exploitation can lead to unauthorized exposure of internal Kubernetes services to the network by injecting flags like --address=0.0.0.0, unauthorized cross-namespace access by injecting additional -n flags, and indirect exploitation through prompt injection against AI agents connected to the MCP server. The CVSS v3.1 score is 8.3 (high), indicating high confidentiality and integrity impact with low attack complexity and no user interaction required.
Mitigation Recommendations
A fix for this vulnerability is available in mcp-server-kubernetes version 3.5.0. Users should upgrade to version 3.5.0 or later to remediate this issue. Patch status is not explicitly stated beyond the fix in 3.5.0, so users should refer to the vendor's official release notes or advisories for confirmation and detailed upgrade instructions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-07T20:32:03.010Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dece6882d89c981f1bf9e0
Added to database: 4/14/2026, 11:31:52 PM
Last enriched: 4/22/2026, 6:45:04 AM
Last updated: 5/29/2026, 6:12:24 PM
Views: 190
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.