FastMCP OAuth Proxy token reuse across MCP servers

While testing the OAuth Proxy implementation, it was noticed that the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for this MCP server, the token is issued for the baseurl passed to...

PT-2026-25775

Name of the Vulnerable Software and Affected Versions FastMCP versions prior to 2.14.2 Description FastMCP, a framework for building MCP applications, does not properly validate the resource parameter submitted by the client during authorization and token requests. Instead of issuing tokens...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via improper validation of $tokenAudience. A user can gain unauthorized access to protected resources by submitting an ID token in place of an access token. Remediation Upgrade auth0/auth0-php to version 8.18.0 o...

CVE-2025-9803

lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover due to improper authentication in the Google OAuth integration. The application fails to verify the 'aud' audience field in the access token issued by Google, which is crucial for ensuring the token is intended for the...

CVE-2025-9803

lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover due to improper authentication in the Google OAuth integration. The application fails to verify the 'aud' audience field in the access token issued by Google, which is crucial for ensuring the token is intended for the...

EUVD-2023-0532

Malicious code in bioql PyPI...

GHSA-72J4-94RX-CR6W Incorrect Permission Assignment for Critical Resource and Permissive List of Allowed Inputs in Keycloak

A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions...

Incorrect Permission Assignment for Critical Resource and Permissive List of Allowed Inputs in Keycloak

A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions...

CVE-2020-1694

A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions...

keycloak: verify-token-audience support is missing in the NodeJS adapter

A flaw was found in Keycloak, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions...

CVE-2020-1694

A flaw was found in Keycloak, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions...