Microsoft patched a high-severity server-side request forgery (SSRF) vulnerability in Azure MCP Server as part of the March 2026 Patch Tuesday release. The flaw allows an authenticated attacker to send a crafted input that forces the server to make requests to internal or attacker-controlled resources — leading to token theft and privilege escalation over the network.
The vulnerability requires an authenticated attacker, but exploitation can be conducted over the network, making it reachable from any network-connected system with valid Azure credentials. The SSRF vector allows the MCP Server's trusted internal network position to be weaponized — an attacker with low-privilege agent access can coerce the server into querying internal metadata endpoints or service-to-service APIs, capturing tokens that enable lateral movement to higher-privilege cloud resources.
No public PoC has been published as of the disclosure date. However, SSRF-to-privilege-escalation is a well-understood attack pattern in cloud environments; the combination with MCP's trusted server role makes this a high-priority patch for any enterprise running Azure-hosted AI agents.
Immediate action: Apply the March 2026 Microsoft security updates. Review Azure MCP Server configurations and restrict network egress to known-safe internal endpoints as a defense-in-depth measure.