FastMCP patches critical SSRF via OpenAPI path traversal

TL;DR — A URL construction bug in FastMCP’s OpenAPIProvider can let MCP clients traverse out of intended API prefixes and drive SSRF into arbitrary backend endpoints using the provider’s authorization context.

What happened

fastmcp is a Python framework for building Model Context Protocol (MCP) servers and clients, including an OpenAPIProvider that exposes backend HTTP APIs to MCP clients based on an OpenAPI spec.

CVE-2026-32871 describes a vulnerability in OpenAPIProvider’s request routing where path parameters are substituted into URL templates without URL-encoding, and the resulting path is then resolved with urllib.parse.urljoin(). Because urljoin() treats ../ as directory traversal, an attacker who can control a path parameter can escape the intended OpenAPI route prefix and reach arbitrary backend endpoints.

The core risk is SSRF with inherited credentials: the CVE notes requests are sent with the authorization headers configured in the MCP provider, so the attacker effectively “borrows” the provider’s backend access to hit endpoints that were never meant to be reachable via the spec.

The CVE record reports a CVSS v4.0 base score of 10.0 (Critical). This is a high-signal class of bug for platform teams because it’s a canonicalization issue (template substitution + URL resolution) that turns “safe API proxying” features into a backend access primitive.

Who is impacted

• Deployments using fastmcp prior to 3.2.0. (Affected range in CVE: < 3.2.0.)
• Highest risk when you use OpenAPIProvider to proxy internal/backoffice APIs to MCP clients, and MCP clients can influence path parameter values.

What to do now

• Follow vendor remediation guidance and apply the latest patched release available at the time of writing.

  • "This issue has been patched in version 3.2.0." (CVE record)

• Treat this as an API boundary break, not “just SSRF”: review where OpenAPIProvider is used to front privileged/internal services and prioritize those deployments for patching.
• Audit OpenAPI specs and MCP-exposed operations for attacker-controlled path parameters; assume an attacker will probe traversal strings (e.g., ../) and delimiter characters (e.g., ?, #, /) to influence URL resolution.
• If you maintain downstream integrations or forks, incorporate the vendor’s remediation approach from the advisory:

  • "URL-encode all path parameter values before substitution to ensure reserved characters (/, ., ?, #) are treated as literal data, not path delimiters." (GitHub advisory)

• If compromise/abuse is suspected, review outbound HTTP logs from the MCP service for unexpected backend paths (especially those outside the OpenAPI-defined prefix) and rotate any backend credentials configured in the MCP provider.

Additional Information

• GitHub Security Advisory (technical write-up and PoC): https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-vv7q-7jx5-f767
• Patch PR: https://github.com/PrefectHQ/fastmcp/pull/3507
• Patch commit: https://github.com/PrefectHQ/fastmcp/commit/40bdfb6b1de0ce30609ee9ba5bb95ecd04a9fb71
• Release tag referenced by the CVE record: https://github.com/PrefectHQ/fastmcp/releases/tag/v3.2.0