Microsoft Azure MCP Server Privilege Escalation Vulnerability via Server-Side Request Forgery

A server-side request forgery (SSRF) vulnerability has been identified in Azure Model Context Protocol (MCP) Server Tools. This vulnerability allows an authorized attacker to elevate privileges over the network. By sending specially crafted input to an MCP Server tool that accepts user-provided parameters, an attacker can replace a normal Azure resource identifier with a malicious URL. The MCP Server may then send an outbound request to this URL, potentially including its managed identity token. This could enable the attacker to capture the token and access resources authorized to the managed identity, without requiring administrative privileges.

Impact

Exploitation of this vulnerability could allow an attacker to gain access to the permissions associated with the Azure MCP Server's managed identity, enabling them to interact with resources that the identity is authorized to access.

Remediation

Users can download the security update for Azure MCP Server Tools from the NuGet Gallery. The vulnerability has been officially fixed in version 2.0.0-beta.17.