Description
Missing authentication for critical function in Azure MCP Server allows an unauthorized attacker to disclose information over a network.
Published: 2026-04-02
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch Immediately
AI Analysis

Impact

Missing authentication for a critical function in Azure MCP Server allows an unauthorized attacker who can reach the server over a network to read sensitive information. The flaw falls under the missing authentication weakness (CWE-306) and can lead to a serious breach of confidentiality by exposing data that Azure Web Apps stores or processes. The impact is equivalent to that of an authenticated user, giving attackers the same level of access to the system's data.

Affected Systems

Microsoft Azure Web Apps is the affected product. No specific version numbers are listed, so any deployment that includes the MCP Server component may be vulnerable until a patch is applied.

Risk and Exploitability

The vulnerability has a CVSS base score of 9.1, indicating a critical level of risk. The EPSS score is below 1%, suggesting a low probability of current exploitation, and it is not listed in the CISA KEV catalog, meaning no known public exploitation. Attackers can exploit the flaw from any network location that can reach the MCP Server, as no authentication is required, lowering the barrier to exploitation. Prompt patching is therefore essential.

Generated by OpenCVE AI on April 7, 2026 at 02:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch or update published by Microsoft for Azure Web Apps that addresses the missing authentication flaw.
  • Check the Microsoft Security Response Center update guide for CVE-2026-32211 and install the recommended fix.
  • Monitor Microsoft advisories for any subsequent security updates related to Azure Web Apps.
  • Limit network access to the Azure MCP Server to trusted networks to reduce exposure.

Generated by OpenCVE AI on April 7, 2026 at 02:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:azure_web_apps:-:*:*:*:*:*:*:*

Fri, 03 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description Missing authentication for critical function in Azure MCP Server allows an unauthorized attacker to disclose information over a network.
Title Azure MCP Server Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft azure Web Apps
Weaknesses CWE-306
CPEs cpe:2.3:a:microsoft:azure_web_apps:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft azure Web Apps
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Azure Web Apps
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-10T21:20:55.009Z

Reserved: 2026-03-11T01:49:58.659Z

Link: CVE-2026-32211

cve-icon Vulnrichment

Updated: 2026-04-03T13:48:18.747Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T00:16:04.703

Modified: 2026-04-06T18:08:55.450

Link: CVE-2026-32211

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:55:16Z

Weaknesses