CVE-2026-32871

CriticalPublic PoC

Published: 02 April 2026

Published

02 April 2026

Modified

10 April 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0012 30.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32871 is a critical-severity SSRF (CWE-918) vulnerability in Jlowin Fastmcp. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates the vulnerability by requiring validation and sanitization of path parameters to block directory traversal sequences like '../' before URL construction.

SC-7 Boundary Protection partial match

preventdetect

Enforces boundary protection to monitor and control requests to backend endpoints, limiting SSRF exploitation to arbitrary internal services.

AC-4 Information Flow Enforcement partial match

prevent

Implements information flow enforcement policies to restrict requests to only intended API prefixes, preventing escape to unauthorized backend endpoints.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables unauthenticated remote exploitation of a public-facing OpenAPI provider via unencoded path parameters leading to directory traversal and SSRF against arbitrary backend endpoints, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the…

backend service. A vulnerability exists in the _build_url() method. When an OpenAPI operation defines path parameters (e.g., /api/v1/users/{user_id}), the system directly substitutes parameter values into the URL template string without URL-encoding. Subsequently, urllib.parse.urljoin() resolves the final URL. Since urljoin() interprets ../ sequences as directory traversal, an attacker controlling a path parameter can perform path traversal attacks to escape the intended API prefix and access arbitrary backend endpoints. This results in authenticated SSRF, as requests are sent with the authorization headers configured in the MCP provider. This issue has been patched in version 3.2.0.

Deeper analysisAI

CVE-2026-32871 affects FastMCP, a Python library for building MCP servers and clients, specifically versions prior to 3.2.0. The vulnerability resides in the OpenAPIProvider component, which parses OpenAPI specifications to expose internal APIs to MCP clients. In the RequestDirector class's _build_url() method, path parameters (e.g., {user_id} in /api/v1/users/{user_id}) are directly substituted into URL templates without URL-encoding. The subsequent use of urllib.parse.urljoin() interprets ../ sequences as directory traversal, enabling attackers to escape the intended API prefix and target arbitrary backend endpoints.

Any network-accessible MCP client can exploit this vulnerability with low complexity and no privileges required (CVSS 10.0: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). By controlling a path parameter, an attacker injects traversal sequences like ../ to redirect requests, resulting in authenticated server-side request forgery (SSRF, CWE-918). Requests carry the authorization headers configured in the MCP provider, allowing access to internal services that would otherwise be restricted.

The issue was addressed in FastMCP version 3.2.0, as detailed in the project's GitHub security advisory (GHSA-vv7q-7jx5-f767), release notes, associated pull request #3507, and patch commit 40bdfb6b1de0ce30609ee9ba5bb95ecd04a9fb71. Security practitioners should upgrade to 3.2.0 or later to mitigate the risk.

Details

CWE(s): CWE-918

Affected Products

jlowin

fastmcp

≤ 3.2.0

AI Security AnalysisAI

AI Category: AI Agent Protocols and Integrations
Risk Domain: Protocol-Specific Risks
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Matched keywords: mcp, mcp, mcp

CVEs Like This One

CVE-2025-64340Same product: Jlowin Fastmcp

CVE-2026-5832Shared CWE-918

CVE-2026-7221Shared CWE-918

CVE-2026-7146Shared CWE-918

CVE-2026-42260Shared CWE-918

CVE-2026-7417Shared CWE-918

CVE-2026-7158Shared CWE-918

CVE-2026-7147Shared CWE-918

CVE-2025-0454Shared CWE-918

CVE-2025-21385Shared CWE-918

References

https://github.com/PrefectHQ/fastmcp/commit/40bdfb6b1de0ce30609ee9ba5bb95ecd04a9fb71
Patch · security-advisories@github.com
https://github.com/PrefectHQ/fastmcp/pull/3507
Issue Tracking, Patch · security-advisories@github.com
https://github.com/PrefectHQ/fastmcp/releases/tag/v3.2.0
Product, Release Notes · security-advisories@github.com
https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-vv7q-7jx5-f767
Exploit, Mitigation, Vendor Advisory · security-advisories@github.com
https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-vv7q-7jx5-f767
Exploit, Mitigation, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0