FastMCP, a framework for building MCP applications, contained a flaw in its OAuthProxy before version 3.2.0. The proxy failed to validate the user’s consent when receiving an authorization code from GitHub, exploiting GitHub’s omission of the consent screen for previously authorized clients. This creates a Confused Deputy scenario identified as CWE-441, which could let an attacker obtain authorization for resources on behalf of a legitimate user without the user’s explicit approval. The result is an unauthorized gain of access to user data where the OAuth delegation is trusted, leading to confidentiality and integrity violations for the affected user’s account.

FastMCP framework from the vendor jlowin, affecting all releases prior to 3.2.0. Users running any earlier version of FastMCP that implements GitHubProvider OAuth integration are potentially impacted.

The vulnerability carries a CVSS score of 8.2, indicating high severity, and has not been listed in the CISA KEV catalog. EPSS data is not available, so the precise exploit probability cannot be quantified, but the combination of a high CVSS score and the nature of the flaw suggests a significant risk to systems that rely on FastMCP’s OAuthProxy. The attack vector is most likely via the OAuth callback, where a malicious party can intercept or redirect the authorization code flow. Exploitation requires that the target client has previously authorized access to the relevant GitHub account, a situation common in existing deployments.