GHSA-hhfx-wfvq-7g9c
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hhfx-wfvq-7g9c
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-hhfx-wfvq-7g9c/GHSA-hhfx-wfvq-7g9c.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-hhfx-wfvq-7g9c
- Aliases
- Published
- 2026-03-10T18:31:21Z
- Modified
- 2026-03-14T06:36:13.352873Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Azure MCP Server has Server-Side Request Forgery issue that allows authorized attacker to elevate privileges over a network
- Details
-
Server-Side Request Forgery (SSRF) in Azure MCP Server allows an authorized attacker to elevate privileges over a network.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-03-11T19:59:54Z", "severity": "HIGH", "nvd_published_at": "2026-03-10T18:18:41Z", "cwe_ids": [ "CWE-918" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2026-26118
- https://github.com/microsoft/mcp/commit/804ff60293206c4d8e832f772097238561bf2c34
- https://github.com/microsoft/mcp
- https://github.com/microsoft/mcp/releases/tag/Azure.Mcp.Server-1.0.2
- https://github.com/microsoft/mcp/releases/tag/Azure.Mcp.Server-2.0.0-beta.17
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26118
Affected packages
NuGet / Azure.Mcp
Package
- Name
- Azure.Mcp
- View open source insights on deps.dev
- Purl
- pkg:nuget/Azure.Mcp
NuGet / Azure.Mcp
Package
- Name
- Azure.Mcp
- View open source insights on deps.dev
- Purl
- pkg:nuget/Azure.Mcp
npm / @azure/mcp
Package
- Name
- @azure/mcp
- View open source insights on deps.dev
- Purl
- pkg:npm/%40azure/mcp
PyPI / msmcp-azure
Package
- Name
- msmcp-azure
- View open source insights on deps.dev
- Purl
- pkg:pypi/msmcp-azure
npm / @azure/mcp
Package
- Name
- @azure/mcp
- View open source insights on deps.dev
- Purl
- pkg:npm/%40azure/mcp