CVE-2026-26118

HIGH WAF: Medium

CVSS 8.8 Published: 2026-03-10

CWE-918

Server-side request forgery (ssrf) in Azure MCP Server allows an authorized attacker to elevate privileges over a network.

WAF Coverage Analysis

Server-Side Request Forgery (SSRF) Medium WAF Coverage

OWASP: A10:2021 SSRF

934xxx - Node.js / Generic Injection

Affected Software

Vendor	Product	Version
microsoft	azure_mcp_server	up to 2.0.0
microsoft	azure_mcp_server	2.0.0
microsoft	azure_mcp_server	2.0.0
microsoft	azure_mcp_server	2.0.0
microsoft	azure_mcp_server	2.0.0
microsoft	azure_mcp_server	2.0.0
microsoft	azure_mcp_server	2.0.0
microsoft	azure_mcp_server	2.0.0
microsoft	azure_mcp_server	2.0.0
microsoft	azure_mcp_server	2.0.0

References

msrc.microsoft.com (Vendor Advisory)

Back to CVE Database