The vulnerability CVE-2026-47250 in mcp-server-kubernetes (before 3.7.0) involves improper neutralization of argument delimiters (CWE-88) in the kubectl_generic tool. This tool forwards user-supplied flags directly to kubectl without validation or allowlisting. An attacker with limited cluster or codebase access can plant a structured JSON line in application logs that injects malicious flags such as --server and --insecure-skip-tls-verify. When an operator with privileged kubeconfig reads these logs via the MCP server, kubectl_generic sends API requests including the operator's Authorization Bearer token to the attacker's endpoint. The attacker can then replay this token to the Kubernetes API server, gaining the operator's full RBAC permissions. The vulnerability is fixed in version 3.7.0.

An attacker with limited access (e.g., developer with pod-deployment permissions) can escalate privileges by causing an operator's kubeconfig token to be leaked to an attacker-controlled server. This token leak allows the attacker to impersonate the operator and gain full RBAC permissions on the Kubernetes cluster. The vulnerability compromises confidentiality and authorization but does not affect integrity or availability directly.

This vulnerability is patched in mcp-server-kubernetes version 3.7.0. Users should upgrade to version 3.7.0 or later to remediate this issue. No other official remediation or temporary fixes are documented. Patch status is confirmed by the vendor advisory stating the fix is included in version 3.7.0.