HIGH🇬🇧 English

CVE-2026-27124

CVSS 8.2v4.0pub. 2026-04-03upd. 2026-04-22

FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, while testing the GitHubProvider OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not properly validate the user's consent upon receiving the authorization code from GitHub. In combination with GitHub’s behavior of skipping the consent page for previously authorized clients, this introduces a Confused Deputy vulnerability. This issue has been patched in version 3.2.0.

oryginał EN
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Jlowin Fastmcp

    APP
    Jlowin
    < 3.2.0
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2026-32871CRITICAL10.0PL ✓ten sam produkt

FastMCP: path traversal i SSRF przez niekodowane parametry ścieżki URL

CVE-2025-69196HIGH7.4ten sam produkt

FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not ...

CVE-2025-64340MEDIUM6.7ten sam produkt

FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, server names containi...

CVE-2025-62800MEDIUM5.3ten sam produkt

FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0 have a reflected cro...

CVE-2025-62801MEDIUM5.4ten sam produkt

FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0, a command-injection...