External risk intelligence

FastMCP Path Traversal Via Unencoded URL Parameters.

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-32871

FastMCP is a framework for building MCP servers and clients. While these tools can be internet-exposed as API endpoints or part of a larger service architecture, they are often used as internal components, middleware, or in local development environments to facilitate LLM interactions, meaning public internet exposure is plausible but not a universal design characteristic.

Server-Side Request Forgery

Jlowin Fastmcp

before 3.2.0

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

The FastMCP Python library has a vulnerability where an attacker could potentially access unintended backend endpoints by manipulating API requests. This occurs because the system directly substitutes values into URL templates without proper encoding, allowing for path traversal when constructing URLs. The issue has been addressed in version 3.2.0.

  • API substitution flaw allows unauthorized access.
  • Remember this allows bypassing intended API boundaries.
  • Confirm if this component is used and its exposure.

Attack Path

How an attacker could exploit the issue

An attacker could compromise backend services by sending specially crafted requests to a FastMCP server. If an operation in an OpenAPI specification includes a path parameter, the system directly inserts the attacker-controlled value into the URL without proper encoding. This allows the attacker to use sequences like "../" to navigate outside the intended API directory and reach arbitrary endpoints. As these requests are sent with the original authorization headers, this can lead to server-side request forgery with authenticated access.

  • Unauthenticated network access.
  • Path parameter substitution.
  • Authenticated server-side request forgery.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, an attacker could leverage this vulnerability to make requests to arbitrary backend endpoints. This is possible because the system directly substitutes parameter values into URL templates without proper encoding, and a component then interprets directory traversal sequences. This could lead to the exposure of internal APIs or services that are not meant to be publicly accessible.

  • Backend API endpoints could be accessed.
  • Path traversal allows arbitrary URL construction.
  • Unauthorized access to internal services.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability, affecting FastMCP, likely falls under the purview of application or platform teams responsible for the services built with it. The first practical step is to identify all deployments of FastMCP, determine their network exposure, assess their business criticality, and locate the accountable owners for each instance before planning remediation.

  • Identify affected deployments and owners.
  • Verify network exposure and criticality.
  • Plan remediation or risk mitigation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is FastMCP?

FastMCP is a Python framework designed to streamline the creation of Model Context Protocol (MCP) servers and clients. It allows developers to define APIs that connect LLMs to data and tools. In practice, it acts as a bridge, parsing OpenAPI specifications to help software communicate with backend services.

How does CVE-2026-32871 allow unauthorized access?

This vulnerability is a form of Server-Side Request Forgery (SSRF) linked to CWE-918 (Server-Side Request Forgery). The software fails to URL-encode user-provided path parameters before inserting them into a URL template. Because the system interprets sequence patterns like '../', an attacker can 'escape' the intended API path to reach other, restricted backend endpoints.

Do I need to send a specific type of request to trigger this?

Yes, an attacker must provide a specially crafted input within an OpenAPI path parameter. The vulnerability is not triggered if the API operation does not use path parameters or if the provided input contains only standard characters without directory traversal sequences.

Is my instance at risk if it is not internet-facing?

Halo Surface Signal notes that while FastMCP components are frequently used as internal middleware or for local development, they can also be deployed as internet-exposed API endpoints. If your FastMCP-based service is reachable from an untrusted network, the risk of external exploitation is significantly higher.

How should I respond to this vulnerability?

The most effective response is to update your FastMCP library to version 3.2.0 or later, which includes the fix. Before updating, identify all environments running this software, map their network exposure, and coordinate with the relevant development or platform teams responsible for the service configuration.

References