mcp-server-kubernetes exposes three environment variables (ALLOW ONLY READONLY TOOLS, ALLOW ONLY NON DESTRUCTIVE TOOLS, ALLOWED TOOLS) documented as access controls for restricting which Kubernetes operations are available. These controls are enforced at the tool discovery layer (tools/list) but not at the execution layer (tools/call). Any client that knows a tool name can invoke it directly regardless of the configured restriction mode. The access control was effectively cosmetic.

Fixed in v3.6.0.

An attacker or misconfigured AI agent with network access to the MCP server's HTTP endpoint could invoke any Kubernetes tool regardless of the restriction mode configured by the operator -- including kubectl delete, exec in pod, kubectl generic, and node management.

The project explicitly supports and documents multi-client HTTP deployment scenarios (Streamable HTTP and SSE transports, in-cluster deployments, Codex CLI and Gemini CLI integrations). In these deployments, operators relied on the tool restriction env vars to enforce least-privilege access across users or roles. The bypass invalidated that model entirely.

Severity scales with the Kubernetes service account's permissions. In environments where the MCP server runs with cluster-admin (common in dev/staging), this is equivalent to full cluster compromise for any client that can reach the endpoint.

The MCP AUTH TOKEN / X-MCP-AUTH mechanism controls who can reach the endpoint but provides no per-tool authorization. An authenticated client restricted to ALLOWED TOOLS=kubectl get could still invoke kubectl delete after authentication.

In src/index.ts, the ListToolsRequestSchema handler applied the configured filtering logic before returning available tools. The CallToolRequestSchema handler dispatched directly by tool name with no equivalent check -- every tool was reachable unconditionally.

Tested across all three restriction modes against a live kind cluster. In each case, kubectl delete was absent from tools/list but executed successfully via a direct tools/call request:

curl -s http://<HOST>:3003/mcp 
 -H 'Content-Type: application/json' 
 -H 'Accept: application/json, text/event-stream' 
 -d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"kubectl delete","arguments":{"resourceType":"pod","name":"test-pod","namespace":"default"}}}'

Result: {"result":{"content":[{"type":"text","text":"pod "test-pod" deleted "}]}}

Confirmed across ALLOW ONLY READONLY TOOLS=true, ALLOW ONLY NON DESTRUCTIVE TOOLS=true, and ALLOWED TOOLS=kubectl get.

The fix applies the same filtering logic from ListToolsRequestSchema at the start of the CallToolRequestSchema handler, returning an error for any tool call outside the active allowed set. Fixed in v3.6.0.

Discovered by Francisco Rosales of Manifold Security, coordinated by Ax Sharma, Head of Research at Manifold Security.