Cyber Resilience

CVE-2026-26118

High

Published: 10 March 2026

Published
10 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0096 56.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-26118 is a high-severity SSRF (CWE-918) vulnerability in Microsoft Azure Mcp Server. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 43.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-26118 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting the Azure MCP Server. Published on 2026-03-10T18:18:41.180, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.

The vulnerability enables an authorized attacker with low privileges (PR:L) to exploit SSRF over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation allows the attacker to elevate privileges, leveraging the SSRF mechanism to make unauthorized requests on behalf of the server.

The Microsoft Security Response Center provides an update guide for CVE-2026-26118 at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26118, detailing relevant mitigation and patching information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Server-side request forgery (ssrf) in Azure MCP Server allows an authorized attacker to elevate privileges over a network.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: mcp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF vuln in network-accessible Azure server component with low-priv auth required directly enables exploitation for privilege escalation (T1068) via unauthorized server requests; also maps to T1190 as classic vector against public-facing apps.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-21177Same vendor: Microsoft
CVE-2025-59503Same vendor: Microsoft
CVE-2025-62207Same vendor: Microsoft
CVE-2026-32169Same vendor: Microsoft
CVE-2026-26138Same vendor: Microsoft
CVE-2026-32186Same vendor: Microsoft
CVE-2026-26137Same vendor: Microsoft
CVE-2026-33107Same vendor: Microsoft
CVE-2026-26150Same vendor: Microsoft
CVE-2026-41105Same vendor: Microsoft

Affected Assets

microsoft
azure mcp server
2.0.0 · ≤ 2.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates SSRF by validating and sanitizing user inputs used to forge unauthorized server-side requests.

preventdetect

Monitors and controls communications at boundaries to block unauthorized outbound requests enabled by SSRF exploitation.

prevent

Enforces approved information flows to restrict server-initiated requests to unauthorized destinations or resources.

References