CVE-2026-27124
Received Received - Intake
Confused Deputy in FastMCP OAuthProxy Enables Unauthorized Access

Publication date: 2026-04-03

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, while testing the GitHubProvider OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not properly validate the user's consent upon receiving the authorization code from GitHub. In combination with GitHub’s behavior of skipping the consent page for previously authorized clients, this introduces a Confused Deputy vulnerability. This issue has been patched in version 3.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27124
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jlowin fastmcp to 3.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-441 The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an attacker to gain unauthorized access to a victim's GitHub account on a benign MCP server by exploiting the OAuthProxy's failure to verify user consent properly. This unauthorized access could lead to exposure or misuse of personal or sensitive data.

Such unauthorized access and potential data exposure may impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over user consent and access to personal data.

Specifically, the failure to properly validate user consent undermines the principle of informed consent mandated by these regulations, potentially leading to violations if personal data is accessed or processed without proper authorization.

Executive Summary

CVE-2026-27124 is a high-severity Confused Deputy vulnerability in the FastMCP OAuthProxy component affecting versions prior to 3.2.0. The issue arises because the OAuthProxy does not properly verify that the browser submitting the OAuth authorization code has actually given user consent for the client-server connection.

During the OAuth flow with GitHubProvider integration, an attacker can initiate authentication using a malicious MCP client connected to a benign MCP server and capture the authorization URL after consenting. The attacker then tricks a victim, who is already logged into GitHub and previously authorized a benign MCP client, into opening this URL.

Because GitHub skips the consent page for previously authorized clients, the victim’s browser is redirected immediately to the OAuthProxy callback endpoint, which does not confirm that the victim’s browser has just given consent. As a result, the OAuthProxy redirects the victim’s browser to the attacker’s client callback URL with a valid authorization code.

The attacker can then exchange this code for an access token tied to the victim’s GitHub account on the benign MCP server, gaining unauthorized access to resources. The root cause is that the OAuthProxy accepts any valid state and code pair without verifying that consent was granted by the same browser session making the callback request.

Impact Analysis

This vulnerability can allow an attacker to gain unauthorized access to a victim’s GitHub account resources on a benign MCP server by exploiting the OAuthProxy’s failure to verify user consent properly.

Specifically, the attacker can trick a victim into authorizing access that the attacker then uses to obtain an access token linked to the victim’s account, potentially exposing sensitive data or allowing actions on behalf of the victim without their knowledge.

Detection Guidance

This vulnerability can be detected by monitoring OAuth authorization flows involving the FastMCP OAuthProxy component, specifically looking for cases where authorization codes are accepted without proper user consent verification.

Detection involves checking if the OAuthProxy callback handler (_handle_idp_callback function) properly validates that the browser submitting the authorization code has given consent.

One practical approach is to intercept OAuth authorization URLs and responses using a proxy tool such as Burp Suite to observe if authorization codes are accepted without a corresponding consent verification tied to the browser session.

While no specific commands are provided in the resources, using network traffic analysis tools or web proxies to capture and analyze OAuth flows can help detect this vulnerability.

Mitigation Strategies

The immediate mitigation step is to upgrade FastMCP to version 3.2.0 or later, where the vulnerability has been patched.

The patch enhances the OAuthProxy to verify that the browser submitting the authorization code has actually given consent for the client-server connection, for example by setting and validating a consent cookie or similar browser-bound state token.

Until the upgrade is applied, consider monitoring OAuth flows closely and restricting or disabling OAuthProxy usage if possible to reduce exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27124. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart