Description
Server-side request forgery (ssrf) in Azure MCP Server allows an authorized attacker to elevate privileges over a network.
Published: 2026-03-10
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is a server‑side request forgery that allows an attacker who already has authorized access to the application to elevate privileges over the network. The weakness, identified as CWE‑918, can be used to force the server to make arbitrary outbound requests, potentially bypassing authentication or authorization controls and gaining higher privileges than originally granted.

Affected Systems

Affected products are Microsoft Azure MCP Server Tools versions 1.0.0 and 2.0.0 distributed via NuGet, npm, and PyPi. The impact applies to all listed sub‑versions (2.0.0 beta1 through beta16, as well as the stable 2.0.0 release). Users deploying these tools from any supported package manager are vulnerable unless they keep the packages updated.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability, yet the EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog, implying that no widespread known attacks have been documented to date. However, exploitation requires the attacker to have some degree of authorized access to the server; once that condition is met, the SSRF can be used to elevate privileges across the network. The attack vector is likely internal, meaning that securing internal network boundaries and limiting outbound request capabilities can mitigate risk while awaiting a patch.

Generated by OpenCVE AI on March 20, 2026 at 17:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch to Azure MCP Server Tools as provided by Microsoft, following the instructions in the Microsoft Security Response Center update guide.
  • Restrict network access for the Azure MCP Server Tools components to only necessary destinations, reducing the surface for SSRF exploitation.
  • Disable or sandbox any unused Azure MCP Server Tools modules to minimize potential attack vectors.
  • Monitor application logs for abnormal outbound request activity that could indicate exploitation attempts.

Generated by OpenCVE AI on March 20, 2026 at 17:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hhfx-wfvq-7g9c Azure MCP Server has Server-Side Request Forgery issue that allows authorized attacker to elevate privileges over a network
History

Fri, 20 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft azure Mcp Server Tools 1
Microsoft azure Mcp Server Tools 2
CPEs cpe:2.3:a:microsoft:azure_mcp_server_tools:*:*:*:*:*:*:*:* cpe:2.3:a:microsoft:azure_mcp_server_tools_1:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:azure_mcp_server_tools_2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft azure Mcp Server Tools 1
Microsoft azure Mcp Server Tools 2

Fri, 13 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft azure Mcp Server
CPEs cpe:2.3:a:microsoft:azure_mcp_server:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta10:*:*:*:*:*:*
cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta11:*:*:*:*:*:*
cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta12:*:*:*:*:*:*
cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta13:*:*:*:*:*:*
cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta14:*:*:*:*:*:*
cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta15:*:*:*:*:*:*
cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta16:*:*:*:*:*:*
cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta5:*:*:*:*:*:*
cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta6:*:*:*:*:*:*
cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta7:*:*:*:*:*:*
cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta8:*:*:*:*:*:*
cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta9:*:*:*:*:*:*
Vendors & Products Microsoft azure Mcp Server

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Server-side request forgery (ssrf) in Azure MCP Server allows an authorized attacker to elevate privileges over a network.
Title Azure MCP Server Tools Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft azure Mcp Server Tools
Weaknesses CWE-918
CPEs cpe:2.3:a:microsoft:azure_mcp_server_tools:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft azure Mcp Server Tools
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Azure Mcp Server Azure Mcp Server Tools Azure Mcp Server Tools 1 Azure Mcp Server Tools 2
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-03-27T22:33:17.500Z

Reserved: 2026-02-11T15:52:13.911Z

Link: CVE-2026-26118

cve-icon Vulnrichment

Updated: 2026-03-10T19:50:08.517Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:41.180

Modified: 2026-03-13T20:12:47.740

Link: CVE-2026-26118

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:55:35Z

Weaknesses