What happened
XBOW demonstrated that supplying a malicious URL as an Azure resource identifier caused the MCP server to make an authenticated SSRF request using its managed identity, leaking the token to the attacker-controlled endpoint.
2026-03-10
HighPrimaryFirst Microsoft Production MCP CVE: Azure MCP Server SSRF via Malicious Resource URL Leaks Managed Identity Token for AI Agent Privilege Escalation (CVE-2026-26118, CVSS 8.8)
First CVE targeting the MCP protocol layer in a production Microsoft system. A malicious URL in place of an Azure resource identifier caused the MCP server to make an SSRF request leaking the managed identity token, enabling AI agent privilege escalation. CVSS 8.8. Discovered by XBOW.
Azure MCP ServerCredential exposureSSRF via MCP resource URL: managed identity token exfiltration and privilege escalationAzure cloud environment / Azure managed identity / AI agent
Why it matters
Managed identity token exposure enabling privilege escalation in Azure environments via AI agent. Potential access to any Azure resource accessible to the managed identity — storage, databases, secrets, and other cloud resources.
Missing authorization check
MCP servers must validate that resource identifiers are legitimate, in-scope endpoints before using production credentials to make requests. Managed identity tokens must never be used to authenticate requests to attacker-controlled URLs.
Would PP block it?
If managed identity usage required a PP receipt bound to a specific authorized resource, attacker-supplied resource URLs would not match the authorized resource and the credential use would be blocked.
Incident analysis
Timeline and technical read
Timeline
2026-03-10
Microsoft Patch Tuesday: CVE-2026-26118 patched. First CVE targeting MCP protocol layer in a production Microsoft system. CVSS 8.8. Discovered by XBOW.
Technical breakdown
- Azure MCP Server accepted Azure resource identifiers from client input without validation that the identifier resolved to a legitimate Azure endpoint.
- When a malicious URL was supplied, the server made an HTTP request to that URL using its managed identity for authentication.
- The managed identity token was included in the Authorization header of the SSRF request, leaking it to the attacker-controlled endpoint.
- With the managed identity token, an attacker could access any Azure resource accessible to the server's identity, enabling privilege escalation via the AI agent.
Authorization boundary
Where the authorization boundary should have been
This incident is categorized as Credential exposure. The relevant Permission Protocol gate is Credential Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.
- If enforced at
- Azure resource access, managed identity credential gate, MCP resource URL validation
- Still needs
- Resource URL validation before managed identity authentication; SSRF protection in MCP server
- Receipt required for
- Any managed identity usage, Azure resource access via AI agent MCP calls
PP's Credential Gate would require authorization receipts before managed identity tokens are used for resource access. It would not prevent the SSRF URL injection — that requires URL validation in the MCP server code.
Related incidents and controls
Critical2025-06-13
Anthropic MCP Inspector Accepted Unauthenticated Connections Leading to CSRF-Chained RCE (CVE-2025-49596, CVSS 9.4)
Critical2026-04-01
nginx-ui MCPwn: Empty IP Whitelist Treated as Allow-All Grants Zero-Credential Access to All 12 MCP Tools on 2,600+ Exposed Instances (CVE-2026-33032, CVSS 9.8)
Start small
Put the relevant gate at this action boundary.
This incident maps to Credential Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.