Incorrect Authorization

CVE-2025-69196

High

7.4/10

Summary

FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for the MCP server, the token is issued for the "base_url" passed to the OAuthProxy during initialization. This issue has been patched 2.14.2.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-863 - Incorrect Authorization

Authorization is a security mechanism performed by an application to grant or deny access to the requested resources by verifying the privileges of the user. When an application lacks effective authorization mechanisms, it enables unauthorized users to gain unintended privileges and illegitimate access to resources. Such a vulnerability may result in exposure of sensitive information, denial of service, arbitrary code execution, and complete system takeover.

References

Advisory Timeline

Published Mar 16, 2026

Incorrect Authorization

CVE-2025-69196

Summary

CWE-863 - Incorrect Authorization

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS