Vulnerability in Jlowin Fastmcp

CVE-2026-27124

FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, while testing the GitHubProvider OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, i…

EPSS: 0.001 (19.7th percentile) — read the EPSS interpretation.

Affected products

Jlowin Fastmcp — versions < 3.2.0

Weakness classification (CWE)

CWE-441 — Unintended Proxy or Intermediary (Confused Deputy)

References

https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-rww4-4w9c-7733 (x_refsource_CONFIRM)