2 matches found
CVE-2026-27124 FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities
FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, while testing the GitHubProvider OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not...
CVE-2025-64340
FastMCP (the MCP framework) is affected prior to version 3.2.0. A vulnerability arises when server names contain shell metacharacters (for example, &); this can trigger command injection on Windows during fastmcp install claude-code or fastmcp install gemini-cli. The install commands use subproce...