CVE-2026-26118

HIGH

Azure MCP Server - Authenticated Server-Side Request Forgery

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-26118. PoCs published by XiaomingX, j-dahl7, piiiico.

AI-analyzed exploit summary The repository contains a security scanner for MCP servers that checks for known vulnerability classes, including CVE-2026-26118. It performs various checks such as ping handler, resource list handler, and authentication, but does not include exploit code.

Description

Server-side request forgery (ssrf) in Azure MCP Server allows an authorized attacker to elevate privileges over a network.

Exploits (3)

github SCANNER 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-26118

The repository contains a security scanner for MCP servers that checks for known vulnerability classes, including CVE-2026-26118. It performs various checks such as ping handler, resource list handler, and authentication, but does not include exploit code.

Classification
Scanner 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: MCP servers
No auth needed
Prerequisites: MCP server URL
devstral-2 · analyzed Mar 16, 2026 Full analysis →
nomisec WRITEUP
by j-dahl7 · poc
https://github.com/j-dahl7/mcp-attack-detection-sentinel

This repository provides a Microsoft Sentinel lab for detecting MCP (Model Context Protocol) attack chains, including CVE-2026-26118 (SSRF token theft). It includes analytics rules, hunting queries, and a workbook for monitoring and detecting attacks.

Classification
Writeup 95%
Attack Type
Ssrf
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Sentinel
Auth required
Prerequisites: Azure subscription with Microsoft Sentinel enabled · Entra ID diagnostic settings · Azure Activity Log connector enabled in Sentinel · PowerShell 7.0+ with Azure CLI · Roles: Microsoft Sentinel Contributor, Security Reader
devstral-2 · analyzed Mar 18, 2026 Full analysis →
nomisec SCANNER
by piiiico · poc
https://github.com/piiiico/mcp-check

This repository contains a security scanner for MCP (Model Context Protocol) servers, which checks for known vulnerability classes such as timing DoS, capability assumption attacks, and prompt injection. It does not exploit vulnerabilities but scans for their presence.

Classification
Scanner 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: MCP servers (e.g., Azure Arc MCP)
No auth needed
Prerequisites: MCP server URL
devstral-2 · analyzed Mar 15, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 8.8
EPSS 0.0005
EPSS Percentile 15.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-918
Status published
Products (11)
azure/mcp 2.0.0-beta.1 - 2.0.0-beta.17npm
Microsoft/Azure MCP Server Tools 1.0.0 - 2.0.0-beta.17
Microsoft/Azure MCP Server Tools 1.0.0 (npm) 1.0.0 - 1.0.2
Microsoft/Azure MCP Server Tools 1.0.0 (NuGet) 1.0.0 - 1.0.2
Microsoft/Azure MCP Server Tools 2.0.0 (npm) 2.0.0-beta.1 - 2.0.0-beta.17
Microsoft/Azure MCP Server Tools 2.0.0 (NuGet) 2.0.0-beta.1 - 2.0.0-beta.17
Microsoft/Azure MCP Server Tools 2.0.0 (PyPi) 2.0.0-beta.1 - 2.0.0-beta.17
microsoft/azure_mcp_server 2.0.0 beta1 (16 CPE variants)
microsoft/azure_mcp_server < 2.0.0
nuget/Azure.Mcp 2.0.0-beta.1 - 2.0.0-beta.17NuGet
... and 1 more
Published Mar 10, 2026
Tracked Since Mar 11, 2026