CVE-2026-32871

CVE-2026-32871 affects FastMCP, a Python library for building MCP servers and clients, specifically versions prior to 3.2.0. The vulnerability resides in the OpenAPIProvider component, which parses OpenAPI specifications to expose internal APIs to MCP clients. In the RequestDirector class's _build_url() method, path parameters (e.g., {user_id} in /api/v1/users/{user_id}) are directly substituted into URL templates without URL-encoding. The subsequent use of urllib.parse.urljoin() interprets ../ sequences as directory traversal, enabling attackers to escape the intended API prefix and target arbitrary backend endpoints.

Any network-accessible MCP client can exploit this vulnerability with low complexity and no privileges required (CVSS 10.0: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). By controlling a path parameter, an attacker injects traversal sequences like ../ to redirect requests, resulting in authenticated server-side request forgery (SSRF, CWE-918). Requests carry the authorization headers configured in the MCP provider, allowing access to internal services that would otherwise be restricted.

The issue was addressed in FastMCP version 3.2.0, as detailed in the project's GitHub security advisory (GHSA-vv7q-7jx5-f767), release notes, associated pull request #3507, and patch commit 40bdfb6b1de0ce30609ee9ba5bb95ecd04a9fb71. Security practitioners should upgrade to 3.2.0 or later to mitigate the risk.