BIT-OAUTH2-PROXY-2026-34454 OAuth2 Proxy: Session cookie not cleared when rendering sign-in page

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be...

CVE-2026-27124

CVE-2026-27124 describes a Confused Deputy vulnerability in the FastMCP OAuthProxy used with the GitHubProvider OAuth integration. Prior to version 3.2.0, the OAuthProxy does not properly validate user consent after receiving the GitHub authorization code, and combined with GitHub’s consent-page ...

GHSA-RWW4-4W9C-7733 FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities

Summary While testing the GitHubProvider OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not properly validate the user's consent upon receiving the authorization code from GitHu...

CVE-2025-69196

The GHSA advisory GHSA-5H2M-4Q8J-PQPJ describes a misconfiguration in FastMCP OAuth Proxy where the token issuer/audience are derived from the proxy’s base_url, causing access and refresh tokens to be issued without binding to the requested MCP server resource. This means tokens can be used on ot...

CVE-2025-69196 FastMCP OAuth Proxy token reuse across MCP servers

FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for the MCP server, the token is issued for...

FastMCP OAuth Proxy token reuse across MCP servers

While testing the OAuth Proxy implementation, it was noticed that the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for this MCP server, the token is issued for the baseurl passed to...

PT-2026-25775

While testing the OAuth Proxy implementation, it was noticed that the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for this MCP server, the token is issued for the base url passed to...

GHSA-36RG-GFQ2-3H56 Better Auth Open Redirect Vulnerability in originCheck Middleware Affects Multiple Routes

Summary An open redirect has been found in the originCheck middleware function, which affects the following routes: /verify-email, /reset-password/:token, /delete-user/callback, /magic-link/verify, /oauth-proxy-callback. Details In the matchesPattern function, url.startsWith can be deceived with ...