Token Security researchers disclosed at RSAC 2026 that the official Azure MCP server, when deployed in Streamable HTTP/SSE mode, contains a Remote Code Execution vulnerability reachable by any attacker with network access — no authentication required. The server was designed with a single shared Entra ID identity for all connected clients, meaning every MCP client inherits the same (often over-privileged) Azure credentials.
The RCE allows an unauthenticated attacker to compromise the server process, steal the configured Entra ID credentials, and perform arbitrary actions across the Azure tenant and Entra ID directory — completely unrestricted by the MCP tool surface. The root structural flaw is the shared-identity architecture: there is no per-client authorization boundary, so compromising one endpoint compromises the entire cloud estate.
Any enterprise running Azure MCP in remote HTTP mode faces full cloud tenant takeover from a single network-adjacent attacker. Enterprises that route multiple teams or services through a shared MCP server instance are particularly exposed.
Immediate recommendation: Do not expose Azure MCP in Streamable HTTP/SSE mode on untrusted networks. Apply the principle of least privilege to the Entra ID identity configured on the server. Monitor Token Security's advisory for patch availability and assign scoped, minimal-privilege identities per MCP deployment context.