Description
FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the backend service. A vulnerability exists in the _build_url() method. When an OpenAPI operation defines path parameters (e.g., /api/v1/users/{user_id}), the system directly substitutes parameter values into the URL template string without URL-encoding. Subsequently, urllib.parse.urljoin() resolves the final URL. Since urljoin() interprets ../ sequences as directory traversal, an attacker controlling a path parameter can perform path traversal attacks to escape the intended API prefix and access arbitrary backend endpoints. This results in authenticated SSRF, as requests are sent with the authorization headers configured in the MCP provider. This issue has been patched in version 3.2.0.
Published: 2026-04-02
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated SSRF
Action: Immediate Patch
AI Analysis

Impact

The FastMCP OpenAPIProvider creates URLs for backend requests by inserting path parameters directly into an OpenAPI path template without URL‑encoding them. Because urllib.parse.urljoin() interprets sequences such as "../" as directory traversal, an attacker who can control a path parameter in an API request can cause the provider to resolve a URL that escapes the intended API prefix and targets any backend endpoint. The request is sent with the authorization headers configured for the MCP provider, creating an authenticated SSRF that can reach internal services normally not exposed.

Affected Systems

PrefectHQ FastMCP installations running any version prior to 3.2.0 are affected. The flaw resides in the OpenAPIProvider component, specifically the RequestDirector._build_url method.

Risk and Exploitability

The vulnerability has a CVSS score of 10, indicating maximum severity, but its EPSS score is below 1 %, meaning exploitation is currently considered unlikely. It is not listed in the CISA KEV catalog. The attack requires the attacker to send an API request with a crafted path parameter to a FastMCP instance; the server will then make an authenticated request to an arbitrary internal endpoint, potentially exposing sensitive data or services.

Generated by OpenCVE AI on April 10, 2026 at 17:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FastMCP to version 3.2.0 or later, where the issue is fixed.
  • If a patch cannot be applied immediately, limit external access to the FastMCP instance or disable the OpenAPIProvider for unauthenticated users.
  • Monitor logs for unexpected requests that contain path traversal patterns or requests to internal URLs.
  • Keep the FastMCP installation isolated from sensitive internal services.

Generated by OpenCVE AI on April 10, 2026 at 17:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vv7q-7jx5-f767 FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability
History

Fri, 10 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Jlowin
Jlowin fastmcp
CPEs cpe:2.3:a:jlowin:fastmcp:*:*:*:*:*:*:*:*
Vendors & Products Jlowin
Jlowin fastmcp
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}

 cvssV3_1

{'score': 10.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}

threat_severity

Important

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Prefecthq
Prefecthq fastmcp
Vendors & Products Prefecthq
Prefecthq fastmcp
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the backend service. A vulnerability exists in the _build_url() method. When an OpenAPI operation defines path parameters (e.g., /api/v1/users/{user_id}), the system directly substitutes parameter values into the URL template string without URL-encoding. Subsequently, urllib.parse.urljoin() resolves the final URL. Since urljoin() interprets ../ sequences as directory traversal, an attacker controlling a path parameter can perform path traversal attacks to escape the intended API prefix and access arbitrary backend endpoints. This results in authenticated SSRF, as requests are sent with the authorization headers configured in the MCP provider. This issue has been patched in version 3.2.0.
Title FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Jlowin Fastmcp
Prefecthq Fastmcp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T15:59:25.302Z

Reserved: 2026-03-16T21:03:44.419Z

Link: CVE-2026-32871

cve-icon Vulnrichment

Updated: 2026-04-02T15:59:14.491Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T15:16:38.740

Modified: 2026-04-10T15:58:07.330

Link: CVE-2026-32871

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-02T14:52:39Z

Links: CVE-2026-32871 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:28:05Z

Weaknesses