CVE-2026-27124 in fastmcpinformação

Sumário (Inglês)

FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, while testing the GitHubProvider OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not properly validate the user's consent upon receiving the authorization code from GitHub. In combination with GitHub’s behavior of skipping the consent page for previously authorized clients, this introduces a Confused Deputy vulnerability. This issue has been patched in version 3.2.0.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Responsável

GitHub_M

Reservar

17/02/2026

Divulgação

03/04/2026

Estado

Confirmado

Inscrições

VulDB provides additional information and datapoints for this CVE:

IDVulnerabilidadeCWEExpConCVE
355173jlowin fastmcp Elevação de Privilégios441Não definidoCorreção oficialCVE-2026-27124

Descrição

CPE

CWE

CVSS

Explorações

História

Diferença

Relacionar

Inteligência de ameaças

API JSON

API XML

API CSV

Fontes

VoltarVisão GeralPróximo

Want to know what is going to be exploited?

We predict KEV entries!