CVE-2025-69196 - Vulnerability Analysis
MediumCVSS: 6.5Last Updated: March 18, 2026
FastMCP - Authorization Bypass
Published: March 16, 2026Updated: March 18, 2026PoC AvailableRemote Exploitable
Overview
FastMCP < 2.14.2 contains an authorization bypass caused by improper handling of the resource parameter in OAuth token requests, letting attackers obtain tokens for unintended resources, exploit requires crafted token requests.
Severity & Score
Severity: Medium
CVSS Score: 6.5
Impact
Attackers can obtain OAuth tokens for unintended resources, potentially accessing unauthorized data or services.
Mitigation
Update to version 2.14.2 or later.
Related Resources
Details
- CVE ID
- CVE-2025-69196
- Severity
- Medium
- CVSS Score
- 6.5
- Type
- broken_access_control
- Status
- confirmed
CWE
- CWE-863
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N