CVE-2026-27124
Confused Deputy in FastMCP OAuthProxy Enables Unauthorized Access
Publication date: 2026-04-03
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jlowin | fastmcp | to 3.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-441 | The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27124 is a high-severity Confused Deputy vulnerability in the FastMCP OAuthProxy component affecting versions prior to 3.2.0. The issue arises because the OAuthProxy does not properly verify that the browser submitting the OAuth authorization code has actually given user consent for the client-server connection.
During the OAuth flow with GitHubProvider integration, an attacker can initiate authentication using a malicious MCP client connected to a benign MCP server and capture the authorization URL after consenting. The attacker then tricks a victim, who is already logged into GitHub and previously authorized a benign MCP client, into opening this URL.
Because GitHub skips the consent page for previously authorized clients, the victimβs browser is redirected immediately to the OAuthProxy callback endpoint, which does not confirm that the victimβs browser has just given consent. As a result, the OAuthProxy redirects the victimβs browser to the attackerβs client callback URL with a valid authorization code.
The attacker can then exchange this code for an access token tied to the victimβs GitHub account on the benign MCP server, gaining unauthorized access to resources. The root cause is that the OAuthProxy accepts any valid state and code pair without verifying that consent was granted by the same browser session making the callback request.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to gain unauthorized access to a victimβs GitHub account resources on a benign MCP server by exploiting the OAuthProxyβs failure to verify user consent properly.
Specifically, the attacker can trick a victim into authorizing access that the attacker then uses to obtain an access token linked to the victimβs account, potentially exposing sensitive data or allowing actions on behalf of the victim without their knowledge.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to gain unauthorized access to a victim's GitHub account on a benign MCP server by exploiting the OAuthProxy's failure to verify user consent properly. This unauthorized access could lead to exposure or misuse of personal or sensitive data.
Such unauthorized access and potential data exposure may impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over user consent and access to personal data.
Specifically, the failure to properly validate user consent undermines the principle of informed consent mandated by these regulations, potentially leading to violations if personal data is accessed or processed without proper authorization.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring OAuth authorization flows involving the FastMCP OAuthProxy component, specifically looking for cases where authorization codes are accepted without proper user consent verification.
Detection involves checking if the OAuthProxy callback handler (_handle_idp_callback function) properly validates that the browser submitting the authorization code has given consent.
One practical approach is to intercept OAuth authorization URLs and responses using a proxy tool such as Burp Suite to observe if authorization codes are accepted without a corresponding consent verification tied to the browser session.
While no specific commands are provided in the resources, using network traffic analysis tools or web proxies to capture and analyze OAuth flows can help detect this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade FastMCP to version 3.2.0 or later, where the vulnerability has been patched.
The patch enhances the OAuthProxy to verify that the browser submitting the authorization code has actually given consent for the client-server connection, for example by setting and validating a consent cookie or similar browser-bound state token.
Until the upgrade is applied, consider monitoring OAuth flows closely and restricting or disabling OAuthProxy usage if possible to reduce exposure.