9 matches found
PT-2026-55450
Name of the Vulnerable Software and Affected Versions dragonfly versions prior to 2.4.4 Description The Dragonfly Manager fails to enforce authentication on specific API endpoints, allowing unauthenticated network-reachable attackers to retrieve sensitive OAuth client secrets. The issue occurs...
EUVD-2026-40297
Rancher has over-inclusive team membership expansion in GitHub App authentication provider...
CVE-2026-41053
Incorrect authentication caching in the team member ship expansion of the Rancher Github authentication provider caused it granting principal access to any logged in user, in 2.13 before 2.13.6 and 2.14 before 2.14.2...
CVE-2026-27124 FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities
FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, while testing the GitHubProvider OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not...
CVE-2026-27124
CVE-2026-27124 describes a Confused Deputy vulnerability in the FastMCP OAuthProxy used with the GitHubProvider OAuth integration. Prior to version 3.2.0, the OAuthProxy does not properly validate user consent after receiving the GitHub authorization code, and combined with GitHub’s consent-page ...
GHSA-RWW4-4W9C-7733 FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities
Summary While testing the GitHubProvider OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not properly validate the user's consent upon receiving the authorization code from GitHu...
FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities
Summary While testing the GitHubProvider OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not properly validate the user's consent upon receiving the authorization code from GitHu...
PT-2026-29421
Name of the Vulnerable Software and Affected Versions: FastMCP versions prior to 3.2.0 Description: FastMCP is susceptible to a Confused Deputy issue within its GitHubProvider OAuth integration. The OAuthProxy component fails to properly validate user consent when receiving authorization codes fr...
PT-2024-22133
Name of the Vulnerable Software and Affected Versions Minder versions prior to 0.0.33 Description A Minder user can use the endpoints GetRepositoryByName, DeleteRepositoryByName, and GetArtifactByName to access any repository in the database, irrespective of who owns the repository and any...