Skills
MCPwned: Azure MCP SSRF RCE Chain Leads to Full Tenant Credential Takeover
Token Security researcher Ariel Simon will present at RSAC 2026 a vulnerability chain starting from SSRF in Microsoft's Azure MCP server (CVE-2026-26118, CVSS 8.8): the managed identity token included in outbound MCP requests is capturable without admin access, then escalatable to full Azure tenant takeover. Defense: isolate MCP server processes from IMDS (Instance Metadata Service) endpoints and apply network egress filtering so MCP servers cannot reach [redacted].
Source
↳ Follow the thread