Azure MCP Server: Unauthenticated RCE to Azure Tenant Takeover (CVE-2026-26118)
The official Azure MCP Server shipped the SSE transport without authentication and exposed azmcp-extension-az, a tool that passes user-controlled arguments directly to the Azure CLI process. Researcher Ariel Simon of Token Security demonstrated that an attacker on the network could invoke the tool with crafted arguments to write arbitrary files on the server host, then extract the Entra ID credentials held in the server's environment, compromising the entire Azure tenant. Microsoft patched the issue by removing the SSE transport, removing the vulnerable tool, and shipping a new transport with mandatory authentication. The finding was presented at RSAC 2026 and simultaneously tracked as CVE-2026-26118 (CVSS 8.8) in Microsoft's March 2026 Patch Tuesday.
What happened
The Azure MCP Server allowed users to manage Azure infrastructure in natural language. To handle requests that had no direct tool implementation, it exposed azmcp-extension-az, a fallback tool that constructed an Azure CLI invocation from the arguments supplied by the LLM client and executed it on the server host.
The server ran its SSE transport on the network with no authentication. An attacker with network access could connect directly without credentials. Because azmcp-extension-az passed user-controlled arguments to the az CLI process without meaningful restriction, the attacker could supply arguments that caused Azure CLI to download and write attacker-controlled content to arbitrary file paths, including shell startup files. Writing to ~/.bashrc gave persistence and code execution on the next shell invocation.
With execution established on the host, recovering Entra ID credentials from the server's environment variables was trivial. Those credentials carried whatever Azure permissions the server's identity held, potentially granting full administrative access to the victim's Azure tenant.
Token Security researcher Ariel Simon disclosed the vulnerability and presented a full live demonstration at RSAC 2026. Microsoft's response removed the SSE transport entirely, deleted the azmcp-extension-az tool, and shipped a replacement Streamable HTTP transport with mandatory authentication and authorisation. CVE-2026-26118 was published in Microsoft's March 10, 2026 Patch Tuesday at CVSS 8.8.
The PolicyLayer angle
The Azure MCP attack chain has three links: unauthenticated network access, an unrestricted tool that invokes a powerful CLI on the server, and credentials with broad cloud permissions sitting in the process environment. Any one of those links broken would have stopped the attack. None of them required a complex exploit. The SSE transport had no auth gate. The tool had no argument validation. The credentials had no scope limit.
The policy layer controls that address each link: transport-level authentication as a mandatory gate before any tool is reachable; tool allowlists that reject or sandbox any tool with shell or filesystem write access; credentials scoped to the minimum required Azure permissions, with short-lived tokens and rotation rather than persistent environment-variable credentials. An agent that must write to the local filesystem or invoke the full Azure CLI on the server side is not a well-scoped agent; those capabilities should not exist as MCP tools at all without explicit operator opt-in at deployment time.
The RSAC demonstration made the point that this class of attack, prompt-to-cloud-credential extraction, is not theoretical. Any MCP server that holds cloud credentials and accepts tool calls from unauthenticated or broadly authenticated sources is a variation of the same pattern. The specific fix here was removing the vulnerable tool. The general fix is auditing every tool that an MCP server exposes for what it can reach in the server's own environment.
Mitigations
Apply Microsoft's patch from the March 10, 2026 Patch Tuesday update for Azure MCP Server Tools. The fix removes the SSE transport and azmcp-extension-az, and introduces Streamable HTTP with mandatory authentication. Rotate any Entra ID credentials that were held in the Azure MCP Server process environment on unpatched instances. Audit Azure activity logs for anomalous CLI invocations originating from the MCP server identity. For all MCP servers that hold cloud credentials, enforce least-privilege identity assignment and ensure tokens are short-lived and scoped to specific operations.
FAQs
No. The MarkItDown SSRF (disclosed January 2026 by BlueRock Security) allowed an MCP tool to fetch arbitrary URIs including cloud metadata endpoints. The Azure MCP RCE disclosed by Token Security involves the azmcp-extension-az tool passing attacker-controlled arguments to the Azure CLI process, enabling file writes and full Entra ID credential theft. Both are in Microsoft MCP products; both lead to cloud credential exposure; but the root causes and affected products are distinct.
The Token Security disclosure showed that the original SSE transport had no authentication, meaning network-level access was sufficient. CVE-2026-26118 as assigned by Microsoft lists the attack as requiring low privileges. Microsoft's fix removed the unauthenticated SSE transport entirely and replaced it with Streamable HTTP with mandatory auth, resolving both the classification ambiguity and the exposure.
Microsoft has not reported in-the-wild exploitation. Token Security demonstrated a working exploit in a controlled environment and at RSAC 2026. The PoC is public. Given the severity and the straightforward exploitation path on unpatched instances, organisations should treat unpatched deployments as actively at risk.
References
- MCPwned: Azure MCP RCE vulnerability leads to cloud takeover↗
- Microsoft & Anthropic MCP Servers at Risk of RCE, Cloud Takeovers↗
- MCPwned: Azure MCP RCE vulnerability leads to cloud takeover (Security Boulevard)↗
- SSRF in Azure MCP Server Tools (CVE-2026-26118)↗
- Azure MCP Server has Server-Side Request Forgery issue (GHSA-hhfx-wfvq-7g9c)↗