PyPI: fastmcp

GHSA-c2jp-c369-7pvx

Safety vulnerability ID: SFTY-20251030-01977

Safety legacy ID: pyup.io-80982

Affected versions of the fastmcp package are vulnerable to Improper Authentication due to a Confused Deputy flaw in the built-in OAuth authorisation flow. The /authorize endpoint—when FastMCP serves as both the OAuth Protected Resource and the Authorization Server via /.well-known/oauth-protected-resource and /.well-known/oauth-authorization-server—does not bind the dynamic client and redirect_uri to the user’s prior Entra ID consent state, allowing an attacker-controlled client to receive an authorisation code issued for the victim.

PythonPyPIGitHubGHSA
Created at: Jan 21, 2026Updated at: Jan 21, 2026

Overview

FastMCP Auth Integration Allows for Confused Deputy Account Takeover

Advisory

Affected versions of the fastmcp package are vulnerable to Improper Authentication due to a Confused Deputy flaw in the built-in OAuth authorisation flow. The /authorize endpoint—when FastMCP serves as both the OAuth Protected Resource and the Authorization Server via /.well-known/oauth-protected-resource and /.well-known/oauth-authorization-server—does not bind the dynamic client and redirect_uri to the user’s prior Entra ID consent state, allowing an attacker-controlled client to receive an authorisation code issued for the victim.

Affected Package

Affecting fastmcp package, versions
<2.13.0

Also affects

---

How to Fix

Upgrade
fastmcp
to
2.13.0
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more