NewsCVE-2026-26118: Azure MCP Server SSRF — First Cloud MCP VulnerabilityTheHackerWire·high signalSSRF in Azure MCP Server Tools (CVSS 8.8) lets attackers steal managed identity tokens. First CVE targeting cloud-hosted MCP infrastructure.SourceSource pageTheHackerWire↳ Follow the threadPolicy dependency / Stack layerCynative Ships an Open-Source Deep-Research Security Agent With Default-Deny Write PermissionsIT Security NewsPolicy dependency / Stack layerDefend against MCP tool poisoning by pinning versions and alerting on any tool-description change between releasesPractical DevSecOpsStack layer / Threat patternMCP Security by the Numbers: 30+ CVEs in a 60-Day Window, ~43% Command InjectionPractical DevSecOpsStack layer / Threat patternDevRev launches Enterprise-Bench, an open benchmark for agents in messy enterprise conditionsITBriefStack layer / Threat patternMCP Ships a Stable Enterprise-Managed Authorization Extension and Beta SDKs for Python, TypeScript, Go, and C#Medium (Medderic Hurier / Fmind)Stack layer / Threat patternMCPZoo Study: Scanners Call 96.89% of MCP Servers 'Risky' — But Under Half of Those Alerts Are RealarXivStack layer / Threat patternTip: Migrating an MCP Server to the Stateless Spec — Drop the Handshake and Move Session State to a Backing StorejsmanifestPolicy dependency / Stack layerCompliance SaaS Pivots to Governing Agents: Vanta's AI Agent Reaches GA in July; Drata Declares 'AI Agent Governance' a New CategoryDrata (corroborated by Vanta/SiliconANGLE)