cbcvebase.
CVE-2026-32871
published 2026-04-02

CVE-2026-32871: FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by…

PriorityP269critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.99%
58.1th percentile
FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the backend service. A vulnerability exists in the _build_url() method. When an OpenAPI operation defines path parameters (e.g., /api/v1/users/{user_id}), the system directly substitutes parameter values into the URL template string without URL-encoding. Subsequently, urllib.parse.urljoin() resolves the final URL. Since urljoin() interprets ../ sequences as directory traversal, an attacker controlling a path parameter can perform path traversal attacks to escape the intended API prefix and access arbitrary backend endpoints. This results in authenticated SSRF, as requests are sent with the authorization headers configured in the MCP provider. This issue has been patched in version 3.2.0.

Affected

3 ranges
VendorProductVersion rangeFixed in
jlowinfastmcp< 3.2.03.2.0
jlowinfastmcp>= 0 < 3.2.03.2.0
prefecthqfastmcp< 3.2.03.2.0

Detection & IOCsextracted from sources · hover to see the quote

  • Detect path traversal attempts in OpenAPI path parameters — look for '../' sequences injected into URL path parameter values destined for FastMCP OpenAPIProvider backends
  • Monitor HTTP requests from FastMCP where the constructed URL contains '../' or '%2e%2e%2f' sequences, indicating exploitation of the _build_url() method via urllib.parse.urljoin() directory traversal resolution
  • Flag outbound SSRF requests from FastMCP MCP provider that carry authorization headers to unexpected or internal backend endpoints — these indicate successful exploitation of the path traversal to reach arbitrary endpoints
  • Audit FastMCP versions prior to 3.2.0 in affected Red Hat packages (e.g., rhoai/odh-pipeline-runtime-*, rhoai/odh-workbench-*, satellite/foreman-mcp-server-rhel9) for exposure of the OpenAPIProvider path traversal vulnerability
  • ·The vulnerability is only exploitable when the OpenAPIProvider is in use and OpenAPI operations define path parameters — deployments not using OpenAPIProvider are not affected
  • ·The attacker must be authenticated (have MCP client access) to exploit this SSRF; it is not an unauthenticated attack surface
  • ·Red Hat notes no mitigation is currently available for affected packages short of patching; affected products include Red Hat OpenShift AI (RHOAI) pipeline/workbench images and Red Hat Satellite 6 foreman-mcp-server

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.