Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
  • Experiencing a breach?
  • Blog
  • Careers

  • Platform & Products

    • Singularity™ Platform

      Unified Enterprise Security. Machine-Speed Protection, Intelligence, and Response.

    • XDR

      Native and Open Protection, Detection, and Response.

    • Integrations and Partners

      One-Click Integrations to Unlock the Power of SentinelOne.

    Product Tours
    Pricing & Packages
    Get a Demo

  • Solutions & Use Cases

    SentinelOne for Industries

    Security Tuned for Your Industry.

    See All Industries
    • Healthcare

      Protect Patient Data. Keep Clinical Systems Online.

    • Financial Services

      Stop Fraud and Ransomware. Stay Audit-Ready.

    • Federal Government

      FedRAMP and IL5-Ready Defense for Federal Missions.

    • Manufacturing

      Defend OT, IT, IIOT, and Supply Chains at Scale.

    • Energy

      Secure OT Systems and Critical Infrastructure.

    • Transportation and Logistics

      Defend Operations Across Fleet, Port, and Rail.

    • Higher Education

      Protect Open Networks Without Slowing Research.

    • K-12 Education

      Stop Ransomware. Protect Students, Staff, and Data.

    • Retail and Hospitality

      Defend Your Brand, Customer Data, and Bottom Line.

    • SMB & Startups

      Enterprise-Grade Defense for Fast Teams.

    See all solutions

  • Services

    Managed Services

    Wayfinder Threat Detection and Response.

    Learn More
    • Threat Hunting

      World-Class Expertise and Threat Intelligence.

    • Managed Detection and Response

      24/7 Expert MDR Across Your Entire Environment.

    • Incident Readiness and Response

      DFIR, Breach Readiness, and Compromise Assessments.

    Experiencing a breach?

    Our experts are here to help 24/7.

    1-855-868-3733
    Get Help Now

  • Partners

    Become a Partner

    • Become a SentinelOne Partner

      Join the Global SentinelOne Ecosystem

    • Explore MSSP Solutions

      Services Succeed Faster with SentinelOne

    • Form a Technology Alliance

      Integrated, Enterprise-Scale Solutions

    Find a Partner

    • Enlist a Response or Advisory Team

      Enlist Pro Response and Advisory Teams

    • SentinelOne for AWS

      Hosted Across AWS Regions Worldwide

    • SentinelOne for Google

      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale

    • Partner Locator

      Your Go-to Source for Our Top Partners in Your Region

    • Singularity Marketplace

      One-Click Integrations for Unified Prevention, Detection, and Response

      Explore integrations
    Partner Portal Login

  • Why SentinelOne

    • Why Choose SentinelOne

      AI-Powered Cybersecurity Built to Secure What’s Next.

    • Our Customers

      Trusted by the World’s Leading Companies.

    • Industry Awards & Recognition

      Tested and Proven by the Experts.

  • Resources & Support

    Resources

    • Resource Center
    • Webinars
    • Cybersecurity Blog
    • Events
    • Newsroom

    Company

    • About SentinelOne
    • Careers
    • S Ventures
    • S Foundation
    • Dataset
    • FAQ
    • Investors Relations

    Customer Success & Support

    • Live and On-Demand Training
    • Guided Onboarding & Deployment
    • Technical Account Management
    • Support Services
    • Customer Portal
    • Get Support Now

    Explore

    • Vulnerability Database
    • SentinelLABS Threat Research
    • Ransomeware Anthology
    • Cybersecurity 101
    EventJoin us at OneCon (Oct. 20–22, 2026)
    CompetitionThreat Hunting World Championship 2026
    ReportThe SentinelOne Annual Threat Report
  • Pricing
Get StartedContact us

Explore SentinelOne

  • Pricing
Events
Get StartedContact us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-32871

CVE-2026-32871: FastMCP OpenAPIProvider SSRF Vulnerability

CVE-2026-32871 is an authenticated SSRF flaw in FastMCP's OpenAPIProvider that allows path traversal attacks to access arbitrary backend endpoints. This post explains its impact, affected versions, and mitigation steps.

Published: April 2, 2026

CVE-2026-32871 Overview

CVE-2026-32871 is a critical Server-Side Request Forgery (SSRF) vulnerability in FastMCP, a Python library for building MCP (Model Context Protocol) servers and clients. The vulnerability exists in the _build_url() method within the RequestDirector class of the OpenAPIProvider component. When processing OpenAPI specifications that define path parameters, the system fails to properly URL-encode parameter values before constructing HTTP requests, allowing attackers to inject directory traversal sequences and escape intended API prefixes.

Critical Impact

Attackers can exploit this path traversal flaw to perform authenticated SSRF attacks, accessing arbitrary backend endpoints with the authorization headers configured in the MCP provider, potentially leading to unauthorized data access or further exploitation of internal services.

Affected Products

  • FastMCP versions prior to 3.2.0
  • Applications using OpenAPIProvider with user-controllable path parameters
  • MCP servers exposing internal APIs through FastMCP's OpenAPI integration

Discovery Timeline

  • 2026-04-02 - CVE CVE-2026-32871 published to NVD
  • 2026-04-02 - Last updated in NVD database

Technical Details for CVE-2026-32871

Vulnerability Analysis

The vulnerability resides in FastMCP's OpenAPIProvider component, specifically within the RequestDirector class that handles HTTP request construction for backend API calls. When an OpenAPI specification defines operations with path parameters (e.g., /api/v1/users/{user_id}), the _build_url() method directly substitutes user-supplied parameter values into the URL template string without performing URL-encoding.

The core issue arises from the subsequent use of urllib.parse.urljoin() to resolve the final URL. Python's urljoin() function interprets ../ sequences as directory traversal instructions, treating them as legitimate path navigation rather than literal string values. This behavior, combined with the lack of input sanitization, creates an exploitable path traversal condition.

An attacker who controls a path parameter value can inject sequences like ../../../internal-api/admin to escape the intended API prefix (e.g., /api/v1/users/) and construct requests to arbitrary endpoints on the backend server. Since these requests are sent with the authorization headers configured in the MCP provider, this constitutes an authenticated SSRF vulnerability with significant impact potential.

Root Cause

The root cause is improper input validation and insufficient URL encoding in the _build_url() method. The method fails to sanitize or encode path parameter values before string interpolation, and Python's urllib.parse.urljoin() function inherently processes ../ sequences as path traversal. This combination allows user-controlled input to manipulate the final request destination, violating the principle that user input should never directly influence request routing without proper validation and encoding.

Attack Vector

This vulnerability is exploitable over the network by any attacker who can supply values for path parameters in API operations exposed through FastMCP's OpenAPIProvider. The attack requires no authentication to the FastMCP layer itself, though the SSRF requests will carry whatever authentication credentials are configured in the provider. An attacker would craft malicious parameter values containing ../ sequences to traverse out of the expected API path and target internal endpoints, potentially accessing sensitive resources, administrative interfaces, or cloud metadata services that would otherwise be unreachable.

Detection Methods for CVE-2026-32871

Indicators of Compromise

  • HTTP request logs showing path parameters containing ../ sequences or URL-encoded equivalents (%2e%2e%2f)
  • Backend access logs revealing requests to unexpected endpoints originating from the MCP server
  • Unusual patterns of internal API access from the FastMCP service account
  • Authentication token usage on endpoints outside the expected API scope

Detection Strategies

  • Implement web application firewall rules to detect and block path traversal patterns in API parameters
  • Monitor application logs for RequestDirector activity with suspicious path parameter values
  • Deploy network-level monitoring to detect unexpected internal service communications from MCP components
  • Use runtime application self-protection (RASP) solutions to identify path manipulation attempts

Monitoring Recommendations

  • Enable verbose logging for the OpenAPIProvider component to capture all URL construction activity
  • Set up alerts for any 4xx or 5xx responses from endpoints outside the configured API prefix
  • Monitor outbound network connections from FastMCP services for connections to internal IP ranges or cloud metadata endpoints
  • Implement audit logging for all requests processed by the RequestDirector class

How to Mitigate CVE-2026-32871

Immediate Actions Required

  • Upgrade FastMCP to version 3.2.0 or later immediately
  • Audit existing OpenAPI specifications for operations with path parameters that accept user input
  • Review backend access logs for evidence of exploitation attempts
  • Consider implementing additional input validation at the application layer as defense-in-depth

Patch Information

The vulnerability has been addressed in FastMCP version 3.2.0. The fix, implemented in commit 40bdfb6b1de0ce30609ee9ba5bb95ecd04a9fb71, properly URL-encodes path parameter values before URL construction, preventing path traversal sequences from being interpreted by urljoin(). Users should upgrade via pip: pip install fastmcp>=3.2.0. For more details, see the GitHub Security Advisory GHSA-vv7q-7jx5-f767 and the v3.2.0 release notes.

Workarounds

  • Implement input validation at the application layer to reject path parameters containing ../, ..\\, or URL-encoded traversal sequences
  • Deploy a reverse proxy or web application firewall in front of the MCP server to filter malicious requests
  • Restrict network egress from the FastMCP service to only explicitly required backend endpoints
  • If possible, avoid exposing OpenAPI operations with user-controllable path parameters until the upgrade is complete

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeSSRF
  • Vendor/TechFastmcp
  • SeverityCRITICAL
  • CVSS Score10.0
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-918
  • Technical References
  • GitHub Commit Update
  • GitHub Pull Request #3507
  • GitHub Release v3.2.0
  • GitHub Security Advisory GHSA-vv7q-7jx5-f767
  • Related CVEs
  • CVE-2025-64340: FastMCP Command Injection Vulnerability
  • CVE-2026-27124: FastMCP OAuth Authentication Bypass Flaw
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne
Get a DemoContact Us
  • Product Tours
  • Why SentinelOne
  • Pricing & Packages
  • FAQ
  • SentinelOne Status

Key Products & Solutions

  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Prompt Security
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Explore Solutions

Services

  • Wayfinder TDR
  • Managed Detection and Response
  • Threat Hunting
  • Incident Readiness
& Response
  • Technical Account Management
  • Guided Onboarding 
& Deployment
  • Support Services

Company

  • About Us
  • Our Customers
  • Careers
  • Partners
  • S1 Foundation
  • S1 Ventures
  • Legal Information
  • Security & Compliance
  • Investor Relations

Quick Links

  • Customer Portal
  • Partner Portal
  • Become a Partner
  • Resource Center
  • SentinelLABS Threat Research
  • Blog
  • Press Center
  • Cybersecurity 101
  • Events
  • Ransomware Anthology
©2026 SentinelOne, All Rights Reserved
Privacy NoticeTerms of Use
English
English