CVE-2026-26118
Published: 10 March 2026
Summary
CVE-2026-26118 is a high-severity SSRF (CWE-918) vulnerability in Microsoft Azure Mcp Server. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 43.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-26118 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting the Azure MCP Server. Published on 2026-03-10T18:18:41.180, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.
The vulnerability enables an authorized attacker with low privileges (PR:L) to exploit SSRF over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation allows the attacker to elevate privileges, leveraging the SSRF mechanism to make unauthorized requests on behalf of the server.
The Microsoft Security Response Center provides an update guide for CVE-2026-26118 at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26118, detailing relevant mitigation and patching information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10689
Vulnerability details
Server-side request forgery (ssrf) in Azure MCP Server allows an authorized attacker to elevate privileges over a network.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: mcp
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF vuln in network-accessible Azure server component with low-priv auth required directly enables exploitation for privilege escalation (T1068) via unauthorized server requests; also maps to T1190 as classic vector against public-facing apps.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates SSRF by validating and sanitizing user inputs used to forge unauthorized server-side requests.
Monitors and controls communications at boundaries to block unauthorized outbound requests enabled by SSRF exploitation.
Enforces approved information flows to restrict server-initiated requests to unauthorized destinations or resources.