Description
FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the backend service. A vulnerability exists in the _build_url() method. When an OpenAPI operation defines path parameters (e.g., /api/v1/users/{user_id}), the system directly substitutes parameter values into the URL template string without URL-encoding. Subsequently, urllib.parse.urljoin() resolves the final URL. Since urljoin() interprets ../ sequences as directory traversal, an attacker controlling a path parameter can perform path traversal attacks to escape the intended API prefix and access arbitrary backend endpoints. This results in authenticated SSRF, as requests are sent with the authorization headers configured in the MCP provider. This issue has been patched in version 3.2.0.
Published: 2026-04-02
Score: 10 Critical
EPSS: n/a
KEV: No
Impact: Authenticated SSRF and Path Traversal
Action: Apply Patch
AI Analysis

Impact

The root cause of this vulnerability is that the OpenAPIProvider in FastMCP substitutes path parameters into URL templates without URL‑encoding. The unencoded values are then processed by urllib.parse.urljoin, which interprets "../" sequences as directory traversal. An attacker who can control a path parameter can fabricate an OpenAPI request that causes the provider to issue an HTTP request to an arbitrary backend endpoint while preserving the authorization headers configured by the client. This flaw is a classic example of an insecure direct object reference, identified as CWE‑918. The impact is that an authenticated user can reach services or resources outside the intended API prefix, potentially exposing sensitive data or enabling malicious manipulation of internal functionality.

Affected Systems

All installations of the PrefectHQ FastMCP library running a version earlier than 3.2.0 are affected. The vulnerability exists in the RequestDirector class of the OpenAPIProvider component, before the patch introduced in version 3.2.0.

Risk and Exploitability

The CVSS score of 10 denotes critical severity, indicating that exploitation carries high impact on confidentiality, integrity, and availability of the protected backend systems. The EPSS score is not provided, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Nevertheless, the flaw can be triggered remotely by any authenticated user who can craft an OpenAPI request, making it a significant risk if left unmitigated. The likely attack flow involves sending a malicious path parameter from the client side to force the server to issue an internal request to an unintended endpoint, thereby creating an SSRF condition to the backend services.

Generated by OpenCVE AI on April 2, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FastMCP to version 3.2.0 or newer.

Generated by OpenCVE AI on April 2, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vv7q-7jx5-f767 FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Prefecthq
Prefecthq fastmcp
Vendors & Products Prefecthq
Prefecthq fastmcp
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the backend service. A vulnerability exists in the _build_url() method. When an OpenAPI operation defines path parameters (e.g., /api/v1/users/{user_id}), the system directly substitutes parameter values into the URL template string without URL-encoding. Subsequently, urllib.parse.urljoin() resolves the final URL. Since urljoin() interprets ../ sequences as directory traversal, an attacker controlling a path parameter can perform path traversal attacks to escape the intended API prefix and access arbitrary backend endpoints. This results in authenticated SSRF, as requests are sent with the authorization headers configured in the MCP provider. This issue has been patched in version 3.2.0.
Title FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Prefecthq Fastmcp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T15:59:25.302Z

Reserved: 2026-03-16T21:03:44.419Z

Link: CVE-2026-32871

cve-icon Vulnrichment

Updated: 2026-04-02T15:59:14.491Z

cve-icon NVD

Status : Received

Published: 2026-04-02T15:16:38.740

Modified: 2026-04-02T17:16:22.680

Link: CVE-2026-32871

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:20:17Z

Weaknesses