Vibe Coding
CVE-2026-32211: Azure MCP Server Missing Authentication — CVSS 9.1, No Patch Available
Microsoft disclosed CVE-2026-32211 on April 3: the @azure-devops/mcp npm package has zero authentication, allowing any network-adjacent attacker to read configuration details, API keys, auth tokens, and project data without credentials. CVSS 9.1 critical. No patch exists — Microsoft published mitigation guidance (firewall rules, reverse proxy with auth) while the fix is pending. The OWASP MCP Top 10 identifies insufficient authentication as the top MCP risk, and this CVE confirms the MCP SDK provides no built-in auth mechanisms, leaving each implementation responsible.
Source
↳ Follow the thread