HIGH🇵🇱 Wersja polska

CVE-2025-69196

CVSS 7.4v4.0pub. 2026-03-16upd. 2026-06-30

FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for the MCP server, the token is issued for the base_url passed to the OAuthProxy during initialization. This issue has been patched 2.14.2.

CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Jlowin Fastmcp

    APP
    Jlowin
    < 2.14.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-32871CRITICAL10.0PL ✓ten sam produkt

FastMCP: path traversal i SSRF przez niekodowane parametry ścieżki URL

CVE-2026-27124HIGH8.2ten sam produkt

FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, while testing the Git...

CVE-2025-64340MEDIUM6.7ten sam produkt

FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, server names containi...

CVE-2025-62800MEDIUM5.3ten sam produkt

FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0 have a reflected cro...

CVE-2025-62801MEDIUM5.4ten sam produkt

FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0, a command-injection...