CVE-2026-32871: CWE-918: Server-Side Request Forgery (SSRF) in PrefectHQ fastmcp
CVE-2026-32871 is a critical Server-Side Request Forgery (SSRF) vulnerability in PrefectHQ's fastmcp versions prior to 3. 2. 0. The vulnerability arises from improper URL construction in the OpenAPIProvider component, where path parameters are inserted without URL-encoding, allowing directory traversal sequences to escape the intended API path. This enables an attacker with authentication to send crafted requests to arbitrary backend endpoints with the authorization headers of the MCP provider. The issue has been patched in version 3. 2. 0.
AI Analysis
Technical Summary
FastMCP, a Python framework for building MCP servers and clients, had a vulnerability in its OpenAPIProvider prior to version 3.2.0. The RequestDirector class's _build_url() method substitutes path parameters directly into URL templates without URL-encoding. Because urllib.parse.urljoin() interprets '../' sequences as directory traversal, an attacker controlling path parameters can escape the API prefix and access arbitrary backend endpoints. This results in authenticated SSRF, leveraging the authorization headers configured in the MCP provider. The vulnerability is identified as CWE-918 and has a CVSS 4.0 score of 10.0, indicating critical severity. The issue is fixed in fastmcp version 3.2.0.
Potential Impact
An attacker with the ability to authenticate to the MCP client can exploit this vulnerability to perform SSRF attacks, sending requests to arbitrary backend endpoints with the authorization headers of the MCP provider. This can lead to unauthorized access to internal services and sensitive data exposure. The vulnerability has a critical CVSS score of 10.0, reflecting the high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
This vulnerability has been patched in fastmcp version 3.2.0. Users should upgrade to version 3.2.0 or later to remediate this issue. No other mitigation is required as the fix addresses the root cause by properly handling URL construction and encoding.
CVE-2026-32871: CWE-918: Server-Side Request Forgery (SSRF) in PrefectHQ fastmcp
Description
CVE-2026-32871 is a critical Server-Side Request Forgery (SSRF) vulnerability in PrefectHQ's fastmcp versions prior to 3. 2. 0. The vulnerability arises from improper URL construction in the OpenAPIProvider component, where path parameters are inserted without URL-encoding, allowing directory traversal sequences to escape the intended API path. This enables an attacker with authentication to send crafted requests to arbitrary backend endpoints with the authorization headers of the MCP provider. The issue has been patched in version 3. 2. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
FastMCP, a Python framework for building MCP servers and clients, had a vulnerability in its OpenAPIProvider prior to version 3.2.0. The RequestDirector class's _build_url() method substitutes path parameters directly into URL templates without URL-encoding. Because urllib.parse.urljoin() interprets '../' sequences as directory traversal, an attacker controlling path parameters can escape the API prefix and access arbitrary backend endpoints. This results in authenticated SSRF, leveraging the authorization headers configured in the MCP provider. The vulnerability is identified as CWE-918 and has a CVSS 4.0 score of 10.0, indicating critical severity. The issue is fixed in fastmcp version 3.2.0.
Potential Impact
An attacker with the ability to authenticate to the MCP client can exploit this vulnerability to perform SSRF attacks, sending requests to arbitrary backend endpoints with the authorization headers of the MCP provider. This can lead to unauthorized access to internal services and sensitive data exposure. The vulnerability has a critical CVSS score of 10.0, reflecting the high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
This vulnerability has been patched in fastmcp version 3.2.0. Users should upgrade to version 3.2.0 or later to remediate this issue. No other mitigation is required as the fix addresses the root cause by properly handling URL construction and encoding.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-16T21:03:44.419Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69ce866ce6bfc5ba1de335fd
Added to database: 4/2/2026, 3:08:28 PM
Last enriched: 4/10/2026, 12:04:24 AM
Last updated: 5/20/2026, 9:37:05 PM
Views: 602
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.