Plattform
python
Komponente
fastmcp
Behoben in
3.2.1
3.2.0
CVE-2026-32871 is a critical Path Traversal vulnerability affecting FastMCP versions up to 3.1.1. This flaw allows attackers to potentially access sensitive files on the server by manipulating path parameters within OpenAPI specifications. The vulnerability resides in the buildurl() method of the RequestDirector class. A fix is available in version 3.2.0.
The Path Traversal vulnerability in FastMCP allows an attacker to bypass intended access controls and retrieve arbitrary files from the server's file system. By crafting malicious OpenAPI specifications with carefully constructed path parameters containing directory traversal sequences (e.g., ../), an attacker can manipulate the URL used to access backend services. This could lead to the exposure of sensitive configuration files, source code, or other confidential data. The impact is particularly severe because FastMCP is designed to expose APIs, potentially granting access to a wide range of internal resources. Successful exploitation could result in complete system compromise and data exfiltration.
CVE-2026-32871 was publicly disclosed on 2026-03-31. The vulnerability's CVSS score of 10 (CRITICAL) indicates a high probability of exploitation. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's ease of exploitation makes it a likely target for attackers. It is not currently listed on the CISA KEV catalog.
Organizations utilizing FastMCP for managing MCP client API exposure are at risk, particularly those running versions prior to 3.2.0. Environments with less stringent input validation practices or those lacking WAF protection are especially vulnerable. Shared hosting environments where multiple users share the same FastMCP instance could also be affected, as an attacker could potentially exploit the vulnerability to access data belonging to other users.
• python / server:
import os
import urllib.parse
def check_url_encoding(url, base_url):
parsed_url = urllib.parse.urljoin(base_url, url)
if '..' in parsed_url:
print(f"Potential Path Traversal detected: {parsed_url}")• linux / server:
journalctl -u fastmcp -f | grep "urljoin" # Monitor for URL construction logs• generic web:
curl -I 'http://your-fastmcp-server/api/v1/users/../sensitive_file.txt' # Attempt directory traversaldisclosure
Exploit-Status
EPSS
0.35% (58% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-32871 is to upgrade FastMCP to version 3.2.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing directory traversal sequences in path parameters. Specifically, look for patterns like ../ or ..%2F in the request URL. Additionally, review and restrict access to the OpenAPI specifications used by FastMCP to prevent unauthorized modification. After upgrading, confirm the fix by attempting to access a restricted file via a crafted path parameter; the request should be rejected.
Aktualisieren Sie die FastMCP-Bibliothek auf Version 3.2.0 oder höher. Diese Version behebt die SSRF- und Path-Traversal-Vulnerability. Das Update kann mit dem Paketmanager pip durchgeführt werden: `pip install --upgrade fastmcp`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-32871 is a critical vulnerability in FastMCP versions up to 3.1.1 that allows attackers to access arbitrary files through path traversal.
You are affected if you are using FastMCP versions 3.1.1 or earlier. Upgrade to 3.2.0 or later to mitigate the risk.
Upgrade FastMCP to version 3.2.0 or later. As a temporary workaround, implement strict input validation and consider using a WAF.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest it is a potential target for attackers.
Refer to the FastMCP project's official website or GitHub repository for the latest security advisories and release notes.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.