Auth bypass in Jlowin Fastmcp

CVE-2025-69196

FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the to…

Vulnerability class: Broken Access Control

EPSS: 0.000 (6.4th percentile) — read the EPSS interpretation.

Affected products

Jlowin Fastmcp — versions < 2.14.2

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-5h2m-4q8j-pqpj (x_refsource_CONFIRM)