CVE-2026-27124
Confused Deputy vulnerability in fastmcp (PyPI)

Confused Deputy No known exploit

What is CVE-2026-27124 About?

This confused deputy vulnerability exists in FastMCP's OAuthProxy when handling user consent for GitHub OAuth integrations. It allows an attacker to gain unauthorized access to a victim's MCP server resources by leveraging GitHub's consent skipping behavior and the proxy's lack of proper consent validation. Exploitation relies on social engineering to lure a victim to a specially crafted URL.

Affected Software

fastmcp <3.2.0

Technical Details

The vulnerability occurs because FastMCP's OAuthProxy._handle_idp_callback function does not verify that the browser sending the authorization code has actually given consent for the corresponding client. An attacker initiates an authentication flow with a malicious MCP client and captures the GitHub authorization URL after their own consent. They then lure a victim (already logged into GitHub and having previously authorized an MCP client) to open this captured URL. Due to GitHub skipping the consent page for previously authorized clients, the victim's browser is immediately redirected to the OAuthProxy's callback endpoint. The OAuthProxy, lacking proper consent verification, then redirects the victim's browser to the malicious client's callback URL with a valid authorization code, which the attacker exchanges for an access token to the benign MCP server associated with the victim's GitHub account.

What is the Impact of CVE-2026-27124?

Successful exploitation may allow attackers to gain unauthorized access to the victim's resources and data on the benign MCP server, potentially leading to data exfiltration, unauthorized actions, or impersonation within the MCP ecosystem.

What is the Exploitability of CVE-2026-27124?

Exploitation is of medium complexity, requiring social engineering to lure a victim to a crafted URL. No direct authentication to the victim's account is needed by the attacker for the token exchange, but the victim must be authenticated to GitHub and have previously authorized an MCP client. This is a remote attack, as the victim interacts with a URL provided by the attacker. Special conditions include the target IdP (GitHub in this case) skipping consent for previously authorized clients, and the victim having previously authorized a client. The risk factors are increased by the common user behavior of staying logged into GitHub and potentially clicking on malicious links.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2026-27124?

Available Upgrade Options

  • fastmcp
    • <3.2.0 → Upgrade to 3.2.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2026-27124?

Similar Vulnerabilities: CVE-2023-32439 , CVE-2022-41031 , CVE-2021-39659 , CVE-2020-1934 , CVE-2019-18341

All Rights reserved 2025
Privacy Policy