CVE-2026-32211
Missing Authentication in Azure MCP Server Enables Information Disclosure
Publication date: 2026-04-03
Last updated on: 2026-04-06
Assigner: Microsoft Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microsoft | azure_web_apps | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized attackers to disclose information over a network due to missing authentication for a critical function in Azure MCP Server.
Such information disclosure can potentially lead to non-compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive information against unauthorized access.
Can you explain this vulnerability to me?
This vulnerability involves a missing authentication mechanism for a critical function in the Azure MCP Server. Because of this, an unauthorized attacker can access and disclose sensitive information over a network without needing proper credentials.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of sensitive information, which can compromise confidentiality and potentially lead to further security breaches. Given its critical severity with a CVSS score of 9.1, it poses a high risk to affected systems.