2448179 – (CVE-2025-69196) CVE-2025-69196 fastmcp: FastMCP: Improper token issuance due to incorrect resource parameter handling

Bug 2448179 (CVE-2025-69196) - CVE-2025-69196 fastmcp: FastMCP: Improper token issuance due to incorrect resource parameter handling

Summary: CVE-2025-69196 fastmcp: FastMCP: Improper token issuance due to incorrect res...

Keywords:
Status:	NEW
Alias:	CVE-2025-69196
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-16 19:02 UTC by OSIDB Bzimport
Modified:	2026-03-17 12:34 UTC (History)
CC List:	24 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-16 19:02:01 UTC

FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for the MCP server, the token is issued for the base_url passed to the OAuthProxy during initialization. This issue has been patched 2.14.2.

Note You need to log in before you can comment on or make changes to this bug.

abarbaro
alizardo
anthomas
dfreiber
drow
ehelms
ggainey
jburrell
jchui
jhe
jkoehler
juwatts
ktsao
lphiri
mhulan
nboldt
nmoumoul
osousa
pcreech
psrna
rchan
smallamp
tmalecek
vkumar