CVE-2026-27124

Source
https://cve.org/CVERecord?id=CVE-2026-27124
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27124.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-27124
Aliases
Downstream
Published
2026-04-03T15:22:17.028Z
Modified
2026-07-08T08:12:26.250522374Z
Severity
  • 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities
Details

FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, while testing the GitHubProvider OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not properly validate the user's consent upon receiving the authorization code from GitHub. In combination with GitHub’s behavior of skipping the consent page for previously authorized clients, this introduces a Confused Deputy vulnerability. This issue has been patched in version 3.2.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27124.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-441"
    ]
}
References

Affected packages

Git / github.com/prefecthq/fastmcp

Affected ranges

Type
GIT
Repo
https://github.com/prefecthq/fastmcp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:jlowin:fastmcp:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.2.0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ]
}

Affected versions

v0.*
v0.1.0
v0.2.0
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.4.0
v0.4.1
v1.*
v1.0
v2.*
v2.0.0
v2.1.0
v2.1.1
v2.1.2
v2.10.0
v2.10.1
v2.10.2
v2.10.3
v2.10.4
v2.10.5
v2.10.6
v2.11.0
v2.11.1
v2.11.2
v2.11.3
v2.12.0
v2.12.0rc1
v2.12.1
v2.12.2
v2.12.3
v2.12.4
v2.13.0
v2.13.0.1
v2.13.0rc1
v2.13.0rc2
v2.13.0rc3
v2.13.1
v2.13.2
v2.14.0
v2.14.1
v2.2.0
v2.2.1
v2.2.10
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.2.7
v2.2.8
v2.2.9
v2.3.0
v2.3.0-rc.1
v2.3.0-rc.2
v2.3.1
v2.3.2
v2.3.3
v2.3.4
v2.3.5
v2.4.0
v2.5.0
v2.5.1
v2.5.2
v2.6.0
v2.6.1
v2.7.0
v2.7.1
v2.8.0
v2.8.1
v2.9.0
v2.9.1
v2.9.2
v3.*
v3.0.0
v3.0.0b1
v3.0.0b2
v3.0.0rc1
v3.0.0rc2
v3.0.0rc3
v3.0.1
v3.0.2
v3.1.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27124.json"