CVE-2026-26118: Azure MCP Server has Server-Side Request Forgery issue that allows authorized attacker to elevate privileges over a network
(updated )
Server-Side Request Forgery (SSRF) in Azure MCP Server allows an authorized attacker to elevate privileges over a network.
References
- github.com/advisories/GHSA-hhfx-wfvq-7g9c
- github.com/microsoft/mcp
- github.com/microsoft/mcp/commit/804ff60293206c4d8e832f772097238561bf2c34
- github.com/microsoft/mcp/releases/tag/Azure.Mcp.Server-1.0.2
- github.com/microsoft/mcp/releases/tag/Azure.Mcp.Server-2.0.0-beta.17
- msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26118
- nvd.nist.gov/vuln/detail/CVE-2026-26118
Code Behaviors & Features
Detect and mitigate CVE-2026-26118 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →