Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-13341

Summary
Assigner-Kong
Assigner Org ID-02762ae7-200e-4b20-9b2b-a77d5b8fc4cb
Published At-03 Jul, 2026 | 10:19
Updated At-03 Jul, 2026 | 10:19
Rejected At-
Credits

Prompt Injection and Credential Exposure via Untrusted Analytics Data in Kong Konnect MCP

A vulnerability exists in the Kong Konnect Model Context Protocol (MCP) server prior to version 1.0.0, which could allow a remote attacker to perform an indirect prompt injection attack and execute unintended API requests.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Kong
Assigner Org ID:02762ae7-200e-4b20-9b2b-a77d5b8fc4cb
Published At:03 Jul, 2026 | 10:19
Updated At:03 Jul, 2026 | 10:19
Rejected At:
▼CVE Numbering Authority (CNA)
Prompt Injection and Credential Exposure via Untrusted Analytics Data in Kong Konnect MCP

A vulnerability exists in the Kong Konnect Model Context Protocol (MCP) server prior to version 1.0.0, which could allow a remote attacker to perform an indirect prompt injection attack and execute unintended API requests.

Affected Products
Vendor
KongHQ
Product
mcp-konnect
Default Status
unaffected
Versions
Affected
  • From 0 before 1.0.0 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-20CWE-20 Improper input validation
Type: CWE
CWE ID: CWE-20
Description: CWE-20 Improper input validation
Metrics
VersionBase scoreBase severityVector
3.17.4HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Version: 3.1
Base score: 7.4
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-1000CAPEC-1000
CAPEC ID: CAPEC-1000
Description: CAPEC-1000
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Eli Ainhorn (https://www.linkedin.com/in/eli-ainhorn/), Noma Security (https://noma.security)
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/Kong/mcp-konnect/security/advisories/GHSA-7767-3m3w-2p44
N/A
Hyperlink: https://github.com/Kong/mcp-konnect/security/advisories/GHSA-7767-3m3w-2p44
Resource: N/A
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:02762ae7-200e-4b20-9b2b-a77d5b8fc4cb
Published At:03 Jul, 2026 | 11:16
Updated At:03 Jul, 2026 | 11:16

A vulnerability exists in the Kong Konnect Model Context Protocol (MCP) server prior to version 1.0.0, which could allow a remote attacker to perform an indirect prompt injection attack and execute unintended API requests.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.4HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 7.4
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-20Secondary02762ae7-200e-4b20-9b2b-a77d5b8fc4cb
CWE ID: CWE-20
Type: Secondary
Source: 02762ae7-200e-4b20-9b2b-a77d5b8fc4cb
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/Kong/mcp-konnect/security/advisories/GHSA-7767-3m3w-2p4402762ae7-200e-4b20-9b2b-a77d5b8fc4cb
N/A
Hyperlink: https://github.com/Kong/mcp-konnect/security/advisories/GHSA-7767-3m3w-2p44
Source: 02762ae7-200e-4b20-9b2b-a77d5b8fc4cb
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1Records found

CVE-2026-10968
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-7.4||HIGH
EPSS-0.31% / 22.51%
||
7 Day CHG~0.00%
Published-04 Jun, 2026 | 23:04
Updated-08 Jun, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insufficient validation of untrusted input in Dawn in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Action-Not Available
Vendor-Microsoft CorporationGoogle LLC
Product-windowschromeChrome
CWE ID-CWE-20
Improper Input Validation
Details not found