CVE-2026-26118: Microsoft MCP Server Vulnerability Enables AI Tool Hijacking
PointGuard AI·high signal
Microsoft's MCP server implementation contains a vulnerability (CVE-2026-26118) that allows attackers to hijack AI tool calls, redirecting agent actions to attacker-controlled endpoints. The flaw bypasses MCP's transport security layer, enabling man-in-the-middle attacks on any IDE or CLI tool connecting through the affected server. This is the second major vendor-specific MCP CVE in two weeks, following the Anthropic protocol-level disclosure.