CVE-2026-32871

Name of the Vulnerable Software and Affected Versions FastMCP versions (affected versions not specified)

Description The OpenAPIProvider in FastMCP is susceptible to an authenticated Server-Side Request Forgery (SSRF) vulnerability due to insufficient URL encoding of path parameters. Specifically, the build url() method directly substitutes parameter values into URL templates without proper encoding, and urllib.parse.urljoin() interprets ../ sequences as directory traversal. This allows an attacker controlling a path parameter to bypass the intended API prefix and access arbitrary backend endpoints, inheriting the authorization headers of the MCP provider. The vulnerability resides in the fastmcp/utilities/openapi/director.py file. The vulnerable function is build url(). The API endpoint is constructed using a path template like /api/v1/users/{user id}. The vulnerable parameter is user id. A proof of concept demonstrates accessing an administrative endpoint (/admin/delete-all) by crafting a malicious payload containing ../../../admin/delete-all? as the value for the user id parameter. This allows unauthorized access to internal APIs, potential privilege escalation, and data exfiltration.

Recommendations URL-encode all path parameter values before substitution to prevent reserved characters from being interpreted as path delimiters. The updated build url() method should use urllib.parse.quote(str(param value), safe="") to safely encode parameter values.