Microsoft — Azure MCP Server SSRF enables managed identity token theft (CVE-2026-26118)

• CVE-2026-26118 (CVSS 8.8) is a server-side request forgery (SSRF) in Azure Model Context Protocol (MCP) Server Tools, patched in the March 2026 Patch Tuesday.
• An authorized attacker sends specially crafted input to an MCP Server tool that accepts user-provided parameters — replacing a normal Azure resource identifier with a malicious URL.
• The MCP Server makes an outbound request to the attacker-controlled URL and includes its managed identity token, allowing the attacker to capture it without administrative access.
• Successful exploitation grants all permissions associated with the MCP Server's managed identity — access to any Azure resources that identity is authorized to reach.
• The attack does not grant broader tenant-level or administrator permissions, but in practice many MCP Server managed identities are scoped broadly for AI workload access.
• This is the first major SSRF vulnerability in a first-party Azure MCP service, highlighting the security surface introduced by AI agent tool integration in cloud infrastructure.
• Cisco Talos and multiple security vendors flagged this as one of the most notable vulnerabilities in the March 2026 Patch Tuesday alongside the Excel/Copilot Agent bug.

Why it matters

• MCP servers act as the bridge between AI agents and cloud infrastructure — an SSRF in this layer means an attacker can pivot from an agent interaction to full cloud resource access.
• Managed identity tokens are the primary authentication mechanism for Azure AI workloads — stealing one effectively compromises the agent's entire cloud context.
• As organizations deploy MCP-backed agents at scale, each server becomes a high-value target combining the risk of SSRF with the blast radius of cloud IAM.

What to do

• Patch Azure MCP Server Tools immediately — apply the March 2026 security update.
• Audit managed identity permissions for all MCP Server instances — ensure least-privilege scoping.
• Validate and sanitize user-supplied parameters in MCP tool inputs — enforce URL allowlists for outbound requests.
• Monitor for anomalous token usage — alert on managed identity requests to unexpected Azure resources or external endpoints.

Sources

• Microsoft MSRC — CVE-2026-26118 Advisory
• The Hacker News — Microsoft Patches 84 Flaws in March Patch Tuesday
• Cisco Talos — Microsoft Patch Tuesday March 2026
• SecurityWeek — Microsoft Patches 83 Vulnerabilities