{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26118", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-02-11T15:52:13.911Z", "datePublished": "2026-03-10T17:05:21.115Z", "dateUpdated": "2026-04-14T16:36:40.631Z"}, "containers": {"cna": {"title": "Azure MCP Server Tools Elevation of Privilege Vulnerability", "datePublic": "2026-03-10T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:azure_mcp_server_tools_2:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0-beta.1", "versionEndExcluding": "2.0.0-beta.17"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:azure_mcp_server_tools_2:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0-beta.1", "versionEndExcluding": "2.0.0-beta.17"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:azure_mcp_server_tools_2:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0-beta.1", "versionEndExcluding": "2.0.0-beta.17"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:azure_mcp_server_tools_1:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "1.0.2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:azure_mcp_server_tools_1:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "1.0.2"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Azure MCP Server Tools 1.0.0 (npm)", "versions": [{"version": "1.0.0", "lessThan": "1.0.2", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Azure MCP Server Tools 1.0.0 (NuGet)", "versions": [{"version": "1.0.0", "lessThan": "1.0.2", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Azure MCP Server Tools 2.0.0 (npm)", "versions": [{"version": "2.0.0-beta.1", "lessThan": "2.0.0-beta.17", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Azure MCP Server Tools 2.0.0 (NuGet)", "versions": [{"version": "2.0.0-beta.1", "lessThan": "2.0.0-beta.17", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Azure MCP Server Tools 2.0.0 (PyPi)", "versions": [{"version": "2.0.0-beta.1", "lessThan": "2.0.0-beta.17", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Server-side request forgery (ssrf) in Azure MCP Server allows an authorized attacker to elevate privileges over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-918: Server-Side Request Forgery (SSRF)", "lang": "en-US", "type": "CWE", "cweId": "CWE-918"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-14T16:36:40.631Z"}, "references": [{"name": "Azure MCP Server Tools Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26118"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-26118"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T03:56:21.634Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26118", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-10T19:49:52.853847Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T19:50:08.517Z"}}], "cna": {"title": "Azure MCP Server Tools Elevation of Privilege Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Azure MCP Server Tools 1.0.0 (npm)", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "1.0.2", "versionType": "custom"}]}, {"vendor": "Microsoft", "product": "Azure MCP Server Tools 1.0.0 (NuGet)", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "1.0.2", "versionType": "custom"}]}, {"vendor": "Microsoft", "product": "Azure MCP Server Tools 2.0.0 (npm)", "versions": [{"status": "affected", "version": "2.0.0-beta.1", "lessThan": "2.0.0-beta.17", "versionType": "custom"}]}, {"vendor": "Microsoft", "product": "Azure MCP Server Tools 2.0.0 (NuGet)", "versions": [{"status": "affected", "version": "2.0.0-beta.1", "lessThan": "2.0.0-beta.17", "versionType": "custom"}]}, {"vendor": "Microsoft", "product": "Azure MCP Server Tools 2.0.0 (PyPi)", "versions": [{"status": "affected", "version": "2.0.0-beta.1", "lessThan": "2.0.0-beta.17", "versionType": "custom"}]}], "datePublic": "2026-03-10T14:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26118", "name": "Azure MCP Server Tools Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Server-side request forgery (ssrf) in Azure MCP Server allows an authorized attacker to elevate privileges over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:azure_mcp_server_tools_2:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.0.0-beta.17", "versionStartIncluding": "2.0.0-beta.1"}, {"criteria": "cpe:2.3:a:microsoft:azure_mcp_server_tools_2:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.0.0-beta.17", "versionStartIncluding": "2.0.0-beta.1"}, {"criteria": "cpe:2.3:a:microsoft:azure_mcp_server_tools_2:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.0.0-beta.17", "versionStartIncluding": "2.0.0-beta.1"}, {"criteria": "cpe:2.3:a:microsoft:azure_mcp_server_tools_1:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.0.2", "versionStartIncluding": "1.0.0"}, {"criteria": "cpe:2.3:a:microsoft:azure_mcp_server_tools_1:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.0.2", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-14T16:36:40.631Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26118", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:36:40.631Z", "dateReserved": "2026-02-11T15:52:13.911Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-03-10T17:05:21.115Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:azure_mcp_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "08F2F33D-68BC-40BD-9945-9DAC13516B3F", "versionEndExcluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "FE4BB62F-D65C-4BD7-A977-560951121A31", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta10:*:*:*:*:*:*", "matchCriteriaId": "E25804B6-4EBC-484C-AA53-5F36A125F63C", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta11:*:*:*:*:*:*", "matchCriteriaId": "60995316-44CA-4789-B168-BD759D3FDC7E", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta12:*:*:*:*:*:*", "matchCriteriaId": "69049E0E-CFEE-4051-BE1A-E6A10A346986", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta13:*:*:*:*:*:*", "matchCriteriaId": "0E72117C-2C98-424A-BF6E-78553201F3AF", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta14:*:*:*:*:*:*", "matchCriteriaId": "AE81B2AA-87D7-41B3-934E-F06EB9973B7A", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta15:*:*:*:*:*:*", "matchCriteriaId": "A733A0B0-6D86-4CEF-A594-214195F8A40E", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta16:*:*:*:*:*:*", "matchCriteriaId": "1A0E69CE-C717-407D-84BA-8CC241F179B7", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "C7D01823-C2A0-4FB2-B0A9-53CD02FFDFFA", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "F27295F4-18D0-428E-A2F1-77B3209B6183", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "B88758F0-AE0F-4644-A2D0-EAB69F04B2AA", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta5:*:*:*:*:*:*", "matchCriteriaId": "D1C2790F-D5F5-495A-9A70-01D0A69FECDF", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta6:*:*:*:*:*:*", "matchCriteriaId": "F30CE925-8322-43B4-B634-B08F0D69DF19", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta7:*:*:*:*:*:*", "matchCriteriaId": "640182FA-C461-46A2-BDEE-0785DCA7C26B", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta8:*:*:*:*:*:*", "matchCriteriaId": "F7F3A643-AC07-4EC7-A4E2-DD5B0937D728", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:azure_mcp_server:2.0.0:beta9:*:*:*:*:*:*", "matchCriteriaId": "B304FD54-1827-4401-8DA9-C1D982667DBB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Server-side request forgery (ssrf) in Azure MCP Server allows an authorized attacker to elevate privileges over a network."}, {"lang": "es", "value": "Falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) en Azure MCP Server permite a un atacante autorizado elevar privilegios a trav\u00e9s de una red."}], "id": "CVE-2026-26118", "lastModified": "2026-03-13T20:12:47.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-03-10T18:18:41.180", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26118"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.0.0,2.0.0-beta.17)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Azure MCP Server Tools", "source": "cna", "vendor": "Microsoft"}, "product": "azure_mcp_server_tools", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-03-20T17:32:48.056310+00:00", "value": {"mitigation_remediation": ["Apply the latest patch to Azure MCP Server Tools as provided by Microsoft, following the instructions in the Microsoft Security Response Center update guide.", "Restrict network access for the Azure MCP Server Tools components to only necessary destinations, reducing the surface for SSRF exploitation.", "Disable or sandbox any unused Azure MCP Server Tools modules to minimize potential attack vectors.", "Monitor application logs for abnormal outbound request activity that could indicate exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Affected products are Microsoft Azure MCP Server Tools versions 1.0.0 and 2.0.0 distributed via NuGet, npm, and PyPi. The impact applies to all listed sub\u2011versions (2.0.0 beta1 through beta16, as well as the stable 2.0.0 release). Users deploying these tools from any supported package manager are vulnerable unless they keep the packages updated.", "description_and_impact": "This vulnerability is a server\u2011side request forgery that allows an attacker who already has authorized access to the application to elevate privileges over the network. The weakness, identified as CWE\u2011918, can be used to force the server to make arbitrary outbound requests, potentially bypassing authentication or authorization controls and gaining higher privileges than originally granted.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity vulnerability, yet the EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog, implying that no widespread known attacks have been documented to date. However, exploitation requires the attacker to have some degree of authorized access to the server; once that condition is met, the SSRF can be used to elevate privileges across the network. The attack vector is likely internal, meaning that securing internal network boundaries and limiting outbound request capabilities can mitigate risk while awaiting a patch."}}}}, "created": "2026-03-11T11:45:11.466619+00:00", "updated": "2026-03-23T09:55:35.581121+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$azure_mcp_server_tools"]}