CVE-2026-27124
FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, while testing the GitHubProvider OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not properly validate the user's consent upon receiving the authorization code from GitHub. In combination with GitHubβs behavior of skipping the consent page for previously authorized clients, this introduces a Confused Deputy vulnerability. This issue has been patched in version 3.2.0.
| CWE | CWE-441 |
| Vendor | jlowin |
| Product | fastmcp |
| Published | Apr 3, 2026 |
| Last Updated | Apr 3, 2026 |
Stay Ahead of the Next One
Get instant alerts for jlowin fastmcp
Be the first to know when new unknown vulnerabilities affecting jlowin fastmcp are published β delivered to Slack, Telegram or Discord.
Get Free Alerts β
Free Β· No credit card Β· 60 sec setup
Affected Versions
jlowin / fastmcp
< 3.2.0