CVE-2026-27124— FastMCP 安全漏洞

FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities

FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, while testing the GitHubProvider OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not properly validate the user's consent upon receiving the authorization code from GitHub. In combination with GitHub’s behavior of skipping the consent page for previously authorized clients, this introduces a Confused Deputy vulnerability. This issue has been patched in version 3.2.0.

N/A

未有动机的代理或中间人(混淆代理)

FastMCP 安全漏洞

FastMCP是Jeremiah Lowin个人开发者的一个MCP服务器构建软件。 FastMCP 3.2.0之前版本存在安全漏洞，该漏洞源于OAuthProxy未正确验证用户授权，可能导致混淆代理人攻击。

N/A

N/A