PatchSiren cyber security CVE debrief
CVE-2025-69196 jlowin CVE debrief
CVE-2025-69196 is a high-severity vulnerability in FastMCP, a framework for building MCP applications. The issue allows an attacker to obtain a token for an MCP server by exploiting the improper handling of the resource parameter in authorization and token requests. This vulnerability has been patched in version 2.14.2. The CVSS score for this vulnerability is 7.4, indicating a high level of severity. The vulnerability was published on March 16, 2026, and last modified on June 30, 2026.
- Vendor
- jlowin
- Product
- fastmcp
- CVSS
- HIGH 7.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-16
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-16
- Advisory updated
- 2026-06-30
Who should care
Organizations using FastMCP version prior to 2.14.2 should be concerned about this vulnerability. The vulnerability allows an attacker to obtain a token for an MCP server, which could lead to unauthorized access. Defender should prioritize patching to version 2.14.2 or later. Additionally, defenders should review their inventory of affected systems and apply compensating controls if necessary.
Technical summary
The vulnerability in FastMCP arises from the server not properly respecting the resource parameter submitted by the client in authorization and token requests. Instead of issuing a token explicitly for the MCP server, the token is issued for the base_url passed to the OAuthProxy during initialization. This issue can be exploited by an attacker to obtain a token for an MCP server. The vulnerability has been patched in version 2.14.2. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
Defenders should prioritize patching to version 2.14.2 or later. Additionally, defenders should review their inventory of affected systems and apply compensating controls if necessary.
Recommended defensive actions
- Patch FastMCP to version 2.14.2 or later
- Review inventory of affected systems
- Apply compensating controls if necessary
- Monitor for suspicious activity
- Update incident response plans
Evidence notes
The vulnerability was published on March 16, 2026, and last modified on June 30, 2026. The CVSS score for this vulnerability is 7.4, indicating a high level of severity. The vulnerability has been patched in version 2.14.2.
Official resources
-
CVE-2025-69196 CVE record
CVE.org
-
CVE-2025-69196 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.