The vulnerability CVE-2026-32871 affects PrefectHQ's fastmcp, a Python framework for building MCP servers and clients. In versions before 3.2.0, the OpenAPIProvider component parses OpenAPI specifications to expose internal APIs to MCP clients. The RequestDirector class constructs HTTP requests to backend services by substituting path parameters directly into URL templates without URL-encoding them. When these parameters contain directory traversal sequences such as '../', the urllib.parse.urljoin() function resolves the final URL by traversing directories beyond the intended API prefix. This allows an attacker who can control path parameters to perform path traversal attacks, effectively escaping the restricted API namespace and accessing arbitrary backend endpoints. Since the requests are sent with the authorization headers configured in the MCP provider, this constitutes an authenticated SSRF vulnerability. The attacker can leverage this to access sensitive internal services, potentially leading to data leakage, unauthorized actions, or further compromise of backend systems. The vulnerability does not require user interaction or prior privileges beyond authentication to the MCP client. The issue was addressed in fastmcp version 3.2.0 by properly encoding path parameters or otherwise preventing directory traversal in URL construction.

This vulnerability poses a critical risk to organizations using fastmcp versions prior to 3.2.0. Exploitation allows attackers to bypass API endpoint restrictions and access internal backend services with the same authorization as the MCP provider, potentially exposing sensitive data or enabling unauthorized operations. The SSRF can lead to lateral movement within internal networks, data exfiltration, or compromise of backend infrastructure. Since the flaw requires only authenticated access to the MCP client, any compromised or malicious user with valid credentials can exploit it, increasing the attack surface. The impact is magnified in environments where fastmcp is used to mediate access to critical internal APIs or services that are not otherwise exposed externally. Organizations relying on fastmcp for internal API management or microservice communication are at risk of significant confidentiality, integrity, and availability breaches if unpatched.

Organizations should immediately upgrade fastmcp to version 3.2.0 or later, where this vulnerability is patched. Until upgrading, implement strict input validation and sanitization on all path parameters to prevent directory traversal sequences such as '../'. Employ Web Application Firewalls (WAFs) or API gateways to detect and block suspicious URL patterns indicative of path traversal or SSRF attempts. Restrict MCP client access to trusted users and monitor authentication logs for unusual activity. Limit the scope of authorization headers used by MCP providers to minimize potential damage from SSRF exploitation. Conduct thorough security reviews of any custom code interacting with fastmcp to ensure no similar unsafe URL construction practices exist. Finally, consider network segmentation and internal service hardening to reduce the impact of any SSRF exploitation.