CVE-2026-32211: missing authentication in Azure MCP Server
Microsoft disclosed CVE-2026-32211 on 2 April 2026 — a missing-authentication flaw in Azure MCP Server that lets an unauthenticated attacker disclose information over the network. Microsoft scored it 9.1; NVD, 7.5.
What is this?
On 2 April 2026, Microsoft published CVE-2026-32211, an information-disclosure vulnerability in Azure MCP Server. The one-line description, recorded in the NVD entry, is blunt: “Missing authentication for critical function in Azure MCP Server allows an unauthorized attacker to disclose information over a network.”
The underlying weakness is classified as CWE-306 — Missing Authentication for Critical Function. In plain terms, a function that should have required the caller to prove who they are did not, so a request that reaches the server over the network can pull back data it should never have surfaced. Microsoft’s MCP tooling exposes operations against cloud resources; an MCP endpoint that answers to anyone is exactly the kind of “critical function” CWE-306 is about.
This entry is worth reading not because it is exotic — it is the opposite — but because it is a clean, named, vendor-confirmed instance of the single most common way Model Context Protocol deployments fail: they ship reachable over a network with no authentication in front of them.
How it works
There is no clever payload here, and we deliberately publish none. The mechanism is the absence of a control, not the presence of a trick:
- A function is exposed over the network. Azure MCP Server answers requests that return information about the environment it is wired into.
- The auth check is missing. Per CWE-306, the critical function does not verify the caller’s identity before acting, so an unauthorized (per the CVE text) request is honoured.
- Information comes back. The attacker, who never authenticated, receives data the function was meant to gate behind a credential.
The scoring tells a useful story about how to read a CVE. Microsoft, as the assigning authority (CNA), rated the flaw 9.1 Critical with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. The NVD analysts disagreed on one dimension and rated it 7.5 High with AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. Both agree it is network-reachable (AV:N), needs no privileges (PR:N) and no user interaction (UI:N), and leaks confidentiality (C:H). They differ only on integrity: Microsoft assigned I:H, NVD assigned I:N. When two reputable sources publish two scores for the same bug, that is not an error to ignore — it is a prompt to read the vector, not the headline number.
Microsoft tags the issue as an “exclusively hosted service” vulnerability. In Microsoft’s CVE conventions this means the affected component runs in Microsoft’s cloud and the fix is applied on Microsoft’s side, with no patch for customers to install — the CVE is published for transparency. That does not make the lesson optional: anyone running an MCP server they do control inherits the same failure mode.
Why it matters
MCP servers sit at a dangerous junction. They are designed to give an LLM agent real capabilities — read this resource, query that system — which means an MCP endpoint is, by construction, a gateway to data and actions. Put one on a network without authentication and you have built an open API to whatever it can reach.
CVE-2026-32211 is one data point in a pattern this site has been tracking all spring. A May 2026 study of 7,973 live remote MCP servers found 40.55% exposed their tools with no authentication at all, and every OAuth-enabled server it tested carried at least one flaw (see remote MCP servers: 40% unauthenticated). Internet-wide scanning told the same story for the broader stack — the recurring failure is permissive defaults, not exotic bugs. And OWASP’s June 2026 State of Agentic AI Security report makes the supply-chain-and-protocol layer its centre of gravity, cataloguing CVEs rather than hypotheticals. When Microsoft’s own official MCP server lands on that list, the “it won’t happen to a serious vendor” defence is gone.
The information-disclosure framing also undersells the agentic risk. A read-only leak is bad on its own, but in an agent pipeline the same unauthenticated reach is the foothold that feeds later steps — combine data access with untrusted content and an ability to act and you are back at the lethal trifecta.
Defenses
Treat every MCP server — hosted or self-run — as an authenticated, network-segmented service, never a convenience you drop on a port.
- Authenticate the server, not just the model. Require a verified caller identity (mTLS, OAuth with validated tokens, or a gateway that enforces it) before any tool function executes. CWE-306 is fixed by adding the check that was missing.
- Don’t expose MCP to networks that don’t need it. Bind to localhost or a private segment by default; put anything remote behind a reverse proxy that terminates auth. This mirrors Microsoft’s own mitigation guidance for the hosted case (restrict network access, front it with authenticated access).
- Apply least privilege to what the server can reach. Even an authenticated MCP server should only hold credentials scoped to exactly the resources its tools need, so a bypass leaks less.
- Inventory your MCP surface. Most organisations cannot list the MCP endpoints running inside them. Scan for them the way you scan for any exposed service, and check each for an auth requirement — see the NSA’s MCP security design considerations.
- Read the vector, set your own severity. Don’t let a single CVSS number drive triage. For CVE-2026-32211 the difference between Microsoft’s 9.1 and NVD’s 7.5 is entirely the integrity question — decide which matches your deployment.
Status
| Item | Reference | Date | Notes |
|---|---|---|---|
| CVE-2026-32211 disclosed | Microsoft / NVD | 2026-04-02 | ”Missing authentication for critical function in Azure MCP Server” (CWE-306) |
| Microsoft (CNA) score | MSRC advisory | 2026-04-02 | 9.1 Critical — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
| NVD score | NVD analysis | 2026-04-06 | 7.5 High — C:H/I:N/A:N (differs on integrity) |
| Remediation | Microsoft CVE convention | — | Tagged “exclusively hosted service”; fix applied Microsoft-side, no customer patch |
| Wider context | OWASP / arXiv scans | 2026-05 to 06 | ~40% of remote MCP servers run with no authentication |
The takeaway is not that Azure MCP Server was uniquely careless. It is that “ship the MCP endpoint, add auth later” is an industry-wide default, and CVE-2026-32211 is the version of that mistake with a major vendor’s name and a CVSS 9.1 attached. If you run MCP anywhere, the question to answer today is simple: which of your servers will answer a stranger?
This article summarizes publicly available, vendor-disclosed vulnerability information for defensive and educational purposes. It reproduces no exploit code.
Sources
- → https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32211
- → https://nvd.nist.gov/vuln/detail/CVE-2026-32211
- → https://www.cve.org/CVERecord?id=CVE-2026-32211
- → https://cvefeed.io/vuln/detail/CVE-2026-32211
- → https://www.helpnetsecurity.com/2026/06/11/owasp-prompt-injection-ai-security-failures/