DEV Community

Custodia-Admin
Custodia-Admin

Posted on • Originally published at pagebolt.dev

CVE-2026-26118: How to Prove Your MCP Agent Wasn't Compromised

#security #mcp #cve #ssrf

CVE-2026-26118: How to Prove Your MCP Agent Wasn't Compromised

Microsoft disclosed CVE-2026-26118 this week: a Server-Side Request Forgery (SSRF) vulnerability in Azure's Model Context Protocol server. CVSS 8.8. An attacker with network access can coerce your MCP server to contact internal services, steal credentials from metadata endpoints, and masquerade as your trusted agent.

You'll patch it. But here's the problem nobody talks about: After the vulnerability window closes, how do you prove your agent didn't leak data?

The Agent-in-the-Middle Problem

Your LLM agent runs through an MCP server endpoint. The endpoint has elevated permissions — it can access internal APIs, databases, credential systems. Normally, your agent does legitimate work.

Then the SSRF window opens. An attacker doesn't need to hijack your agent. They just need to trick the MCP server into making requests it shouldn't make. Those requests look like they came from your infrastructure. Your logs say "Agent connected. Agent made requests."

But your logs won't say: What was actually on screen when those requests ran? Did the agent see a legitimate interface or a fake one?

Why Screenshots Matter Here

When you discover the SSRF was exploited:

Your logs tell you:

- Connection from [agent_id]
- Request to /api/users
- Request to /api/credentials
- Response: 200 OK
Enter fullscreen mode Exit fullscreen mode

That's not proof. That's an assertion.

A screenshot tells you:

- Before the request: Agent on legitimate internal page
- Step replay: Agent navigated to /api/users
- Screenshot: Agent saw real employee management interface (not phishing)
- After the request: Agent on expected page with expected data
Enter fullscreen mode Exit fullscreen mode

Now you know the agent wasn't coerced. The interface it accessed was legitimate. The workflow was what you authorized.

Tamper-Evident Evidence

Visual audit trails create forensic evidence:

  1. Timeline proof — Timestamp on each screenshot shows exactly when each step happened
  2. Interface verification — You see the actual page, not a fake one an attacker injected
  3. Step correlation — You match screenshots to logs to confirm the agent did what it logged
  4. Incident scope — You see which workflows ran during the vulnerability window, which accessed sensitive systems, which succeeded vs. failed

When an auditor asks "Was this agent compromised during the SSRF window?" you show them the screenshot timeline. That's tamper-evident proof your agent was running legitimate workflows.

Adding Visual Proof Now

Add screenshots at every step where your MCP agent accesses sensitive systems:

# Before calling high-risk MCP tool
screenshot_before = pagebolt.take_screenshot(current_url)
store_audit_evidence(workflow_id, "pre-request", screenshot_before)

# Call the MCP tool
response = mcp_client.call_tool("access_credentials")

# After the call
screenshot_after = pagebolt.take_screenshot(current_url)
store_audit_evidence(workflow_id, "post-request", screenshot_after)
Enter fullscreen mode Exit fullscreen mode

Store these alongside your logs with transaction IDs. When you need to prove what your agent accessed, you have the visual proof.

The Broader Point

CVE-2026-26118 exposed a gap in MCP security infrastructure: we trust MCP servers because we trust the authorization model. But we can't see what the agent actually did.

Screenshots close that gap. They're not just for compliance. They're a critical incident response tool for any infrastructure running agentic AI at scale.

When the next MCP vulnerability drops (and it will), you'll have visual proof of what your agents actually accessed.

Get started: PageBolt free tier includes 100 requests/month. Add visual proof to your MCP workflows today.

Top comments (0)