{"threats":[{"id":"mcp-GHSA-6mx4-4h42-r8vh","title":"MCP Server Kubernetes: kubectl-generic flag injection enables Kubernetes bearer token exfiltration","description":"### Summary\nThe `kubectl_generic` tool in `mcp-server-kubernetes` passes user-supplied flags directly to kubectl without any allowlist, enabling a **privilege escalation attack** within Kubernetes environments. An attacker who already has limited cluster or codebase access, for example, a developer with pod-deployment permissions but not cluster-admin credentials, can plant a single structured JSON line in an application's log output. When an operator with a privileged kubeconfig uses the MCP se","source":"github-mcp","sourceUrl":"https://github.com/advisories/GHSA-6mx4-4h42-r8vh","sourceId":"GHSA-6mx4-4h42-r8vh","category":"mcp","severity":"medium","cvssScore":6.1,"publishedAt":"2026-06-05T15:40:00Z","ingestedAt":"2026-06-06T08:00:13.338Z","affectedPackages":["mcp-server-kubernetes"],"affectedVersions":"<= 3.6.2","remediation":null,"tags":["mcp","npm","supply-chain"]},{"id":"mcp-GHSA-cr22-wjx7-2w6m","title":"MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement","description":"## Summary\n\n`mcp-server-kubernetes` exposes three environment variables (`ALLOW_ONLY_READONLY_TOOLS`, `ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS`, `ALLOWED_TOOLS`) documented as access controls for restricting which Kubernetes operations are available. These controls are enforced at the tool discovery layer (`tools/list`) but not at the execution layer (`tools/call`). Any client that knows a tool name can invoke it directly regardless of the configured restriction mode. The access control was effectively","source":"github-mcp","sourceUrl":"https://github.com/advisories/GHSA-cr22-wjx7-2w6m","sourceId":"GHSA-cr22-wjx7-2w6m","category":"mcp","severity":"high","cvssScore":8.8,"publishedAt":"2026-05-21T20:33:46Z","ingestedAt":"2026-05-22T08:00:53.012Z","affectedPackages":["mcp-server-kubernetes"],"affectedVersions":"< 3.6.0","remediation":null,"tags":["mcp","npm","supply-chain"]},{"id":"mcp-GHSA-p7fg-763f-g4gf","title":"Claude SDK for TypeScript has Insecure Default File Permissions in Local Filesystem Memory Tool","description":"The `BetaLocalFilesystemMemoryTool` in the Anthropic TypeScript SDK created memory files and directories using the Node.js default modes (`0o666` for files, `0o777` for directories), leaving them world-readable on systems with a standard umask and world-writable in environments with a permissive umask such as many Docker base images. A local attacker on a shared host could read persisted agent state, and in containerized deployments could modify memory files to influence subsequent model behavio","source":"github-mcp","sourceUrl":"https://github.com/advisories/GHSA-p7fg-763f-g4gf","sourceId":"GHSA-p7fg-763f-g4gf","category":"mcp","severity":"medium","cvssScore":0,"publishedAt":"2026-04-29T22:28:12Z","ingestedAt":"2026-04-30T20:00:46.704Z","affectedPackages":["@anthropic-ai/sdk"],"affectedVersions":">= 0.79.0, < 0.91.1","remediation":null,"tags":["mcp","npm","supply-chain"]}],"total":3,"packages":42}