CVE-2026-32871: FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability
FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the backend service. A vulnerability exists in the _build_url() method. When an OpenAPI operation defines path parameters (e.g., /api/v1/users/{user_id}), the system directly substitutes parameter values into the URL template string without URL-encoding. Subsequently, urllib.parse.urljoin() resolves the final URL. Since urljoin() interprets ../ sequences as directory traversal, an attacker controlling a path parameter can perform path traversal attacks to escape the intended API prefix and access arbitrary backend endpoints. This results in authenticated SSRF, as requests are sent with the authorization headers configured in the MCP provider. This issue has been patched in version 3.2.0.
Security readout for executives and security teams
Plain-English summary
FastMCP before 3.2.0 can let an MCP client bend intended backend API requests toward other backend endpoints. Because the provider may attach configured authorization headers, this can turn a normal client request into authenticated server-side access to internal APIs.
Executive priority
Treat as urgent for any MCP service exposing OpenAPI-backed internal systems. A vulnerable deployment could let a client reuse trusted service credentials against unintended backend endpoints.
Technical view
OpenAPIProvider's RequestDirector._build_url() substituted path parameter values into URL templates without URL-encoding, then used urllib.parse.urljoin(). Traversal sequences in attacker-controlled path parameters could escape the intended API prefix and reach arbitrary backend endpoints with provider-configured authorization headers.
Likely exposure
Exposure is likely where FastMCP versions below 3.2.0 use OpenAPIProvider to expose OpenAPI-backed services, especially operations with path parameters and configured backend authorization headers. The source bundle does not prove exposure for deployments not using OpenAPIProvider.
Exploitation context
The CVE record marks KEV as false, and the supplied sources do not state active exploitation. The risk is still severe because exploitation requires network access to the MCP interface and can abuse trusted backend credentials.
Researcher notes
The key condition is unsafe path-parameter substitution before urljoin() normalization. Focus review on RequestDirector URL construction, OpenAPI path parameters, backend credential attachment, and whether reachable endpoints trust the provider's authorization context.
Mitigation direction
Upgrade PrefectHQ fastmcp to version 3.2.0 or later.
Review vendor guidance and Red Hat advisories for packaged deployments.
Restrict untrusted MCP client access until upgraded.
Reduce backend authorization scope used by OpenAPIProvider.
Limit provider reachability to only required backend endpoints.
Validation and detection
Inventory applications and containers using the fastmcp package.
Confirm deployed fastmcp versions are 3.2.0 or later.
Identify OpenAPIProvider usage with path-parameter operations.
Review provider configuration for backend authorization headers.
Check logs for requests resolving outside intended API prefixes.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-918: Information exposure and cloud metadata lookup
Information exposure and SSRF weaknesses can make discovery, cloud metadata, and credential material review relevant. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references SSRF or metadata access, so cloud discovery and credential material review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The CVE wording references file access or upload behavior, so file telemetry and web shell review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
5Timeline events
2ADP providers
9Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: yesTechnical Impact: total
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-918 · source CWE mapping
Server-Side Request Forgery (SSRF)
Server-Side Request Forgery (SSRF) represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.