A Single Webpage Visit Lets Attackers Execute Kubectl Commands and Take Over Entire Clusters
TL;DR: OX Research has uncovered a critical vulnerability, CVE-2025-65719 in Kubectl MCP Server that allows full remote code execution when a user visits a malicious website.
Severity: Critical
Affected Versions: < 1.2.0
Impact: Remote Code Execution (RCE), Full Kubernetes Cluster Compromise
About Kubectl MCP Server
Kubernetes is an open-source platform that automates the deployment, scaling, and management of containerized applications. By organizing machines into clusters and intelligently distributing workloads across them, Kubernetes eliminates the need to run containers manually on individual servers. The platform provides robust orchestration features, including automated load balancing, self-healing, and service discovery, enabling developers to manage complex applications efficiently.
The Kubectl MCP Server is a Model Context Protocol (MCP) server for Kubernetes that allows AI assistants such as Claude, Cursor, and others to interact with Kubernetes clusters using natural language. This enables more intuitive cluster management and streamlined control over containerized workloads. While powerful for streamlining DevOps workflows, this direct system access becomes dangerous when implemented without proper security controls, as this vulnerability demonstrates.
What we found
We discovered a critical vulnerability that allows attackers to achieve remote code execution on victim machines after a user visits a malicious website. The attacker gains complete control over both the local system and any Kubernetes clusters the victim has access to.
Who Is Affected?
All users of Kubectl MCP Server are vulnerable on versions below 1.2.0. The tool is well adopted by the DevOps and cloud infrastructure community, representing a significant security risk to organizations which are using this MCP server.
Potential Damage
- Complete system control of compromised devices
- Full access to Kubernetes clusters and containerized workloads
- Kubernetes credentials and service accounts exposed
- Ability to deploy malicious containers or modify existing deployments
- Lateral movement potential within connected cloud infrastructure
- Access to secrets, ConfigMaps, and sensitive cluster data
Responsible Disclosure
We contacted the Kubectl MCP Server maintainers on Nov 9, 2025. Maintainer responded on Jan 28, 2026 that the vulnerability is now patched.
Recommendations
- Don’t visit untrusted or suspicious websites while Kubectl MCP Server is running
- Never setup unauthenticated MCP servers with direct web access:
- Use IP binding (localhost only)
- Implement authentication or API key requirements
- Conduct security audits on services exposing cluster access
- Scope Kubernetes credentials and service accounts to minimum necessary privileges
Why We Chose to Focus on MCPs?
These findings extend OX Security’s broader MCP research initiative, which uncovered a systemic, design-level vulnerability in Anthropic’s MCP STDIO implementation — a flaw that propagated silently through downstream AI agent frameworks, developer IDEs, and MCP marketplaces, exposing an estimated 150 million downloads to risk.
Technical Analysis
We examined the Kubectl MCP Server, an MCP server designed for Kubernetes. This server enables AI assistants to interact with Kubernetes clusters using natural language.
We began by setting up Minikube, a lightweight tool that allows developers to run a local Kubernetes cluster on their personal machines. Minikube eliminates the need to manage multiple servers by running everything inside a single virtual machine or container, providing a fully functional Kubernetes environment without requiring cloud resources.
The attack flow requires the victim to have a running Kubectl MCP server running in the background, then the attack is executed in the following way:
- The victim clicks a malicious link or browses to a malicious website
- The website connects from the browser to the localhost where the Kubectl MCP server is listening
- A payload is sent to the localhost, exploiting the MCP’s behavior to run Python shell commands with the “shell=True” parameter, this enables the attacker to write any command inside the shell to achieve code execution
Our Setup of Minikube
While setting up the server, we noticed something interesting about the way it listens for incoming requests. That immediately raised a red flag, suggesting there might be an exposed entry point. From there, we began exploring possible vulnerabilities that could be reached through it.
By interacting with our MCP server, we were able to retrieve data about our pods:
Noticing the command sent in the request, and the ability to send a request from anywhere, led us to interact with the server in a malicious way.
Upon closer examination of the relevant line in the code, we determined that the use of shell=True could be exploited to inject arbitrary commands. These commands would then be executed on the server running the Kubectl MCP Server:
https://github.com/rohitg00/kubectl-mcp-server/blob/f0986f3f3817283cf945b00ffb1329a3beef5f0e/compatible_servers/windsurf/windsurf_compatible_mcp_server.py#L140
This led to the ability to execute code by sending a crafted request as follows:
curl -X POST http://192.168.0.78:8080/ -H "Content-Type: application/json" -d '{
"jsonrpc": "2.0",
"id": "3",
"method": "mcp.tool.call",
"params": {
"name": "get_pods",
"input": {
"namespace": "default && echo pwned > pwned"
}
}
}'Later, we set up a malicious site capable of generating the above requests on behalf of the victim, allowing it to interact with the localhost and taking advantage of the vulnerability in order to execute commands on the victim’s behalf:
By exploiting the discovered vulnerability, we were able to execute commands on the victim’s machine – in this case, opening the calculator – while the victim had only visited our site.
