CVE-2025-69196 HIGH

CVE-2025-69196: FastMCP OAuth Proxy token reuse across MCP servers

Vendor Jlowin

Product fastmcp

Weakness CWE-863 · Incorrect authorization

Published March 16, 2026

Last update June 30, 2026

View on NVD All CVEs

CVSS base score

7.4/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for the MCP server, the token is issued for the base_url passed to the OAuthProxy during initialization. This issue has been patched 2.14.2.

Key dates

02Disclosure timeline

March 16, 2026 CVE published

June 30, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-69196

Related vulnerabilities

CVE-2025-69196: FastMCP OAuth Proxy token reuse across MCP servers

01Description

02Disclosure timeline

03References

04Related CVE