{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32871", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-16T21:03:44.419Z", "datePublished": "2026-04-02T14:52:39.978Z", "dateUpdated": "2026-04-02T15:59:25.302Z"}, "containers": {"cna": {"title": "FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-vv7q-7jx5-f767", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-vv7q-7jx5-f767"}, {"name": "https://github.com/PrefectHQ/fastmcp/pull/3507", "tags": ["x_refsource_MISC"], "url": "https://github.com/PrefectHQ/fastmcp/pull/3507"}, {"name": "https://github.com/PrefectHQ/fastmcp/commit/40bdfb6b1de0ce30609ee9ba5bb95ecd04a9fb71", "tags": ["x_refsource_MISC"], "url": "https://github.com/PrefectHQ/fastmcp/commit/40bdfb6b1de0ce30609ee9ba5bb95ecd04a9fb71"}, {"name": "https://github.com/PrefectHQ/fastmcp/releases/tag/v3.2.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/PrefectHQ/fastmcp/releases/tag/v3.2.0"}], "affected": [{"vendor": "PrefectHQ", "product": "fastmcp", "versions": [{"version": "< 3.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T14:52:39.978Z"}, "descriptions": [{"lang": "en", "value": "FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the backend service. A vulnerability exists in the _build_url() method. When an OpenAPI operation defines path parameters (e.g., /api/v1/users/{user_id}), the system directly substitutes parameter values into the URL template string without URL-encoding. Subsequently, urllib.parse.urljoin() resolves the final URL. Since urljoin() interprets ../ sequences as directory traversal, an attacker controlling a path parameter can perform path traversal attacks to escape the intended API prefix and access arbitrary backend endpoints. This results in authenticated SSRF, as requests are sent with the authorization headers configured in the MCP provider. This issue has been patched in version 3.2.0."}], "source": {"advisory": "GHSA-vv7q-7jx5-f767", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-vv7q-7jx5-f767", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T15:59:21.963304Z", "id": "CVE-2026-32871", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T15:59:25.302Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32871", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-02T15:59:21.963304Z"}}}], "references": [{"url": "https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-vv7q-7jx5-f767", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T15:59:14.491Z"}}], "cna": {"title": "FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability", "source": {"advisory": "GHSA-vv7q-7jx5-f767", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "PrefectHQ", "product": "fastmcp", "versions": [{"status": "affected", "version": "< 3.2.0"}]}], "references": [{"url": "https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-vv7q-7jx5-f767", "name": "https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-vv7q-7jx5-f767", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/PrefectHQ/fastmcp/pull/3507", "name": "https://github.com/PrefectHQ/fastmcp/pull/3507", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/PrefectHQ/fastmcp/commit/40bdfb6b1de0ce30609ee9ba5bb95ecd04a9fb71", "name": "https://github.com/PrefectHQ/fastmcp/commit/40bdfb6b1de0ce30609ee9ba5bb95ecd04a9fb71", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/PrefectHQ/fastmcp/releases/tag/v3.2.0", "name": "https://github.com/PrefectHQ/fastmcp/releases/tag/v3.2.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the backend service. A vulnerability exists in the _build_url() method. When an OpenAPI operation defines path parameters (e.g., /api/v1/users/{user_id}), the system directly substitutes parameter values into the URL template string without URL-encoding. Subsequently, urllib.parse.urljoin() resolves the final URL. Since urljoin() interprets ../ sequences as directory traversal, an attacker controlling a path parameter can perform path traversal attacks to escape the intended API prefix and access arbitrary backend endpoints. This results in authenticated SSRF, as requests are sent with the authorization headers configured in the MCP provider. This issue has been patched in version 3.2.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T14:52:39.978Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32871", "state": "PUBLISHED", "dateUpdated": "2026-04-02T15:59:25.302Z", "dateReserved": "2026-03-16T21:03:44.419Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T14:52:39.978Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the backend service. A vulnerability exists in the _build_url() method. When an OpenAPI operation defines path parameters (e.g., /api/v1/users/{user_id}), the system directly substitutes parameter values into the URL template string without URL-encoding. Subsequently, urllib.parse.urljoin() resolves the final URL. Since urljoin() interprets ../ sequences as directory traversal, an attacker controlling a path parameter can perform path traversal attacks to escape the intended API prefix and access arbitrary backend endpoints. This results in authenticated SSRF, as requests are sent with the authorization headers configured in the MCP provider. This issue has been patched in version 3.2.0."}], "id": "CVE-2026-32871", "lastModified": "2026-04-02T17:16:22.680", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T15:16:38.740", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/PrefectHQ/fastmcp/commit/40bdfb6b1de0ce30609ee9ba5bb95ecd04a9fb71"}, {"source": "security-advisories@github.com", "url": "https://github.com/PrefectHQ/fastmcp/pull/3507"}, {"source": "security-advisories@github.com", "url": "https://github.com/PrefectHQ/fastmcp/releases/tag/v3.2.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-vv7q-7jx5-f767"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-vv7q-7jx5-f767"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "fastmcp", "source": "cna", "vendor": "PrefectHQ"}, "product": "fastmcp", "vendor": "prefecthq"}], "analysis": {"en": {"generated_at": "2026-04-02T16:51:23.800656+00:00", "value": {"mitigation_remediation": ["Upgrade FastMCP to version 3.2.0 or newer."], "summary": {"action": "Apply Patch", "impact": "Authenticated SSRF and Path Traversal"}, "threat_synthesis": {"affected_systems": "All installations of the PrefectHQ FastMCP library running a version earlier than 3.2.0 are affected. The vulnerability exists in the RequestDirector class of the OpenAPIProvider component, before the patch introduced in version 3.2.0.", "description_and_impact": "The root cause of this vulnerability is that the OpenAPIProvider in FastMCP substitutes path parameters into URL templates without URL\u2011encoding. The unencoded values are then processed by urllib.parse.urljoin, which interprets &#34;../&#34; sequences as directory traversal. An attacker who can control a path parameter can fabricate an OpenAPI request that causes the provider to issue an HTTP request to an arbitrary backend endpoint while preserving the authorization headers configured by the client. This flaw is a classic example of an insecure direct object reference, identified as CWE\u2011918. The impact is that an authenticated user can reach services or resources outside the intended API prefix, potentially exposing sensitive data or enabling malicious manipulation of internal functionality.", "risk_and_exploitability": "The CVSS score of 10 denotes critical severity, indicating that exploitation carries high impact on confidentiality, integrity, and availability of the protected backend systems. The EPSS score is not provided, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Nevertheless, the flaw can be triggered remotely by any authenticated user who can craft an OpenAPI request, making it a significant risk if left unmitigated. The likely attack flow involves sending a malicious path parameter from the client side to force the server to issue an internal request to an unintended endpoint, thereby creating an SSRF condition to the backend services."}}}}, "created": "2026-04-02T20:11:36.315369+00:00", "updated": "2026-04-02T20:20:17.692122+00:00", "vendors": ["prefecthq", "prefecthq$PRODUCT$fastmcp"]}