Azure

Microsoft has disclosed CVE-2026-32211, a critical information disclosure vulnerability in Azure MCP Server with a CVSS 3.1 score of 9.1. If you run any Azure MCP Server deployment — and the number of organizations doing so has grown dramatically as agentic workloads moved into production — this one requires immediate attention. The short version: an unauthenticated attacker with network access can read sensitive data from your MCP server. No credentials needed. No prior foothold required. Just a network path and knowledge of the right request. ...

CVE-2026-32211 is a CVSS 9.1 information disclosure vulnerability in Azure MCP Server. Missing authentication allows unauthenticated attackers with network access to read sensitive data — API keys, agent tokens, and data source credentials the MCP server manages. No credentials required to exploit. No prior access needed. This guide walks through the immediate mitigation steps while an official patch is pending, and the longer-term hardening practices that should apply to any MCP server deployment. ...