CVE-2026-32871
published 2026-04-02CVE-2026-32871: FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by…
PriorityP269critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.99%
58.1th percentile
FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the backend service. A vulnerability exists in the _build_url() method. When an OpenAPI operation defines path parameters (e.g., /api/v1/users/{user_id}), the system directly substitutes parameter values into the URL template string without URL-encoding. Subsequently, urllib.parse.urljoin() resolves the final URL. Since urljoin() interprets ../ sequences as directory traversal, an attacker controlling a path parameter can perform path traversal attacks to escape the intended API prefix and access arbitrary backend endpoints. This results in authenticated SSRF, as requests are sent with the authorization headers configured in the MCP provider. This issue has been patched in version 3.2.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jlowin | fastmcp | < 3.2.0 | 3.2.0 |
| jlowin | fastmcp | >= 0 < 3.2.0 | 3.2.0 |
| prefecthq | fastmcp | < 3.2.0 | 3.2.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect path traversal attempts in OpenAPI path parameters — look for '../' sequences injected into URL path parameter values destined for FastMCP OpenAPIProvider backends ↗
- →Monitor HTTP requests from FastMCP where the constructed URL contains '../' or '%2e%2e%2f' sequences, indicating exploitation of the _build_url() method via urllib.parse.urljoin() directory traversal resolution ↗
- →Flag outbound SSRF requests from FastMCP MCP provider that carry authorization headers to unexpected or internal backend endpoints — these indicate successful exploitation of the path traversal to reach arbitrary endpoints ↗
- →Audit FastMCP versions prior to 3.2.0 in affected Red Hat packages (e.g., rhoai/odh-pipeline-runtime-*, rhoai/odh-workbench-*, satellite/foreman-mcp-server-rhel9) for exposure of the OpenAPIProvider path traversal vulnerability ↗
- ·The vulnerability is only exploitable when the OpenAPIProvider is in use and OpenAPI operations define path parameters — deployments not using OpenAPIProvider are not affected ↗
- ·The attacker must be authenticated (have MCP client access) to exploit this SSRF; it is not an unauthenticated attack surface ↗
- ·Red Hat notes no mitigation is currently available for affected packages short of patching; affected products include Red Hat OpenShift AI (RHOAI) pipeline/workbench images and Red Hat Satellite 6 foreman-mcp-server ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
fastmcp: FastMCP: Authenticated Server-Side Request Forgery via path traversal in OpenAPI path parameters
vendor_redhat·2026-04-02·CVSS 10.0
CVE-2026-32871 [CRITICAL] CWE-918 fastmcp: FastMCP: Authenticated Server-Side Request Forgery via path traversal in OpenAPI path parameters
fastmcp: FastMCP: Authenticated Server-Side Request Forgery via path traversal in OpenAPI path parameters
FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the backend service. A vulnerability exists in the _build_url() method. When an OpenAPI operation defines path parameters (e.g., /api/v1/users/{user_id}), the system directly substitutes parameter values into the URL template string without URL-encoding. Subsequently, urllib.parse.urljoin() resolves the final URL. Since urljoin() interprets ../ sequences as directory traversal, an attacker controlling a path parameter can perfo
OSV
FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability
osv·2026-03-31
CVE-2026-32871 [CRITICAL] FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability
FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability
## Technical Description
The `OpenAPIProvider` in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The `RequestDirector` class is responsible for constructing HTTP requests to the backend service.
A critical vulnerability exists in the `_build_url()` method. When an OpenAPI operation defines path parameters (e.g., `/api/v1/users/{user_id}`), the system directly substitutes parameter values into the URL template string **without URL-encoding**. Subsequently, `urllib.parse.urljoin()` resolves the final URL.
Since `urljoin()` interprets `../` sequences as directory traversal, an attacker controlling a path parameter can perform path traversal attacks to escape the intended API prefix and acc
GHSA
FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability
ghsa·2026-03-31
CVE-2026-32871 [CRITICAL] CWE-918 FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability
FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability
## Technical Description
The `OpenAPIProvider` in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The `RequestDirector` class is responsible for constructing HTTP requests to the backend service.
A critical vulnerability exists in the `_build_url()` method. When an OpenAPI operation defines path parameters (e.g., `/api/v1/users/{user_id}`), the system directly substitutes parameter values into the URL template string **without URL-encoding**. Subsequently, `urllib.parse.urljoin()` resolves the final URL.
Since `urljoin()` interprets `../` sequences as directory traversal, an attacker controlling a path parameter can perform path traversal attacks to escape the intended API prefix and acc
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-64340 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.7
CVE-2025-64340 [MEDIUM] CVE-2025-64340 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64340 :
Model Context Protocol vulnerability analysis and mitigation
FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, server names containing shell metacharacters (e.g., &) can cause command injection on Windows when passed to fastmcp install claude-code or fastmcp install gemini-cli. These install paths use subprocess.run() with a list argument, but on Windows the target CLIs often resolve to .cmd wrappers that are executed through cmd.exe, which interprets metacharacters in the flattened command string. This issue has been patched in version 3.2.0.
Source : NVD
## 6.7
Score
Published April 3, 2026
Severity MEDIUM
CNA Score 6.7
Affected Technologies
Model Context Protocol
Has Public Exploit No
Has CISA KEV Exploit No
CISA
Wiz
CVE-2026-33946 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.7
CVE-2026-33946 [MEDIUM] CVE-2026-33946 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33946 :
Model Context Protocol vulnerability analysis and mitigation
MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamable_http_transport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's Server-Sent Events (SSE) stream and intercept all real-time data. Version 0.9.2 contains a patch.
Source : NVD
## 8.2
Score
Published March 27, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
Model Context Protocol
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.7
Exploitation Probability (EPSS) N/A
Affected
Wiz
GHSA-rcfx-77hg-w2wv Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.7
CVE-2025-66416 [MEDIUM] GHSA-rcfx-77hg-w2wv Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-rcfx-77hg-w2wv :
Model Context Protocol vulnerability analysis and mitigation
There was a recent CVE report on MCP: https://nvd.nist.gov/vuln/detail/CVE-2025-66416 .
FastMCP does not use any of the affected components of the MCP SDK directly. However, FastMCP versions prior to 2.14.0 did allow MCP SDK versions <1.23 that were vulnerable to CVE-2025-66416. Users should upgrade to FastMCP 2.14.0 or later.
Source : NVD
Published December 26, 2025
Severity HIGH
CNA Score N/A
Affected Technologies
Model Context Protocol
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
fastmcp
Sources
NVD
pip Severity HIGH Has F
Wiz
CVE-2026-27124 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.7
CVE-2026-27124 [MEDIUM] CVE-2026-27124 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27124 :
Model Context Protocol vulnerability analysis and mitigation
FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, while testing the GitHubProvider OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not properly validate the user's consent upon receiving the authorization code from GitHub. In combination with GitHub’s behavior of skipping the consent page for previously authorized clients, this introduces a Confused Deputy vulnerability. This issue has been patched in version 3.2.0.
Source : NVD
## 8.2
Score
Published April 3, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
Model Context Protocol
Has P
Wiz
CVE-2026-32871 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-32871 [HIGH] CVE-2026-32871 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32871 :
Model Context Protocol vulnerability analysis and mitigation
FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the backend service. A vulnerability exists in the _build_url() method. When an OpenAPI operation defines path parameters (e.g., /api/v1/users/{user_id}), the system directly substitutes parameter values into the URL template string without URL-encoding. Subsequently, urllib.parse.urljoin() resolves the final URL. Since urljoin() interprets ../ sequences as directory traversal, an attacker controlling a path parameter can perform path traversal attack
Bugzilla
CVE-2026-32871 fastmcp: FastMCP: Authenticated Server-Side Request Forgery via path traversal in OpenAPI path parameters
bugzilla·2026-04-02·CVSS 10.0
CVE-2026-32871 [CRITICAL] CVE-2026-32871 fastmcp: FastMCP: Authenticated Server-Side Request Forgery via path traversal in OpenAPI path parameters
CVE-2026-32871 fastmcp: FastMCP: Authenticated Server-Side Request Forgery via path traversal in OpenAPI path parameters
FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the backend service. A vulnerability exists in the _build_url() method. When an OpenAPI operation defines path parameters (e.g., /api/v1/users/{user_id}), the system directly substitutes parameter values into the URL template string without URL-encoding. Subsequently, urllib.parse.urljoin() resolves the final URL. Since urljoin() interprets ../ sequences as directory traversal, an attacker controlling a path para
https://github.com/PrefectHQ/fastmcp/commit/40bdfb6b1de0ce30609ee9ba5bb95ecd04a9fb71https://github.com/PrefectHQ/fastmcp/pull/3507https://github.com/PrefectHQ/fastmcp/releases/tag/v3.2.0https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-vv7q-7jx5-f767https://access.redhat.com/security/cve/CVE-2026-32871https://bugzilla.redhat.com/show_bug.cgi?id=2454434https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-vv7q-7jx5-f767https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-32871.json
2026-04-02
Published