Two critical-severity Azure vulnerabilities from the April 2026 Patch Tuesday cycle affect cloud-native components: an information disclosure flaw in the Azure MCP Server (CVSS 9.1) and a privilege escalation flaw in the Azure Custom Locations Resource Provider for Azure Arc (CVSS 9.6). Neither carries a CISA KEV listing at time of publication, but both affect cloud control-plane components where exploitation impact is disproportionate to initial access requirements. Organizations running Azure Web Apps with MCP Server integration or Azure Arc-enabled Kubernetes deployments should apply patches and review RBAC posture this week.