fastmcp

jlowin/fastmcp

776 files · 2275 findings

Share GitHub SARIF JSON

225 critical1659 high391 medium

Tool Poisoning1 issue

Command Injection2 issues

Path Traversal56 issues

SSRF627 issues

Credential Theft2 issues

Excessive Permissionsclean

Missing Auth239 issues

Missing Auth239

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

.github/actions/run-claude/action.yml:10

#       claude-oauth-token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Supply Chain51

GitHub Actions with unpinned actions

high

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

.github/actions/run-claude/action.yml:81

uses: anthropics/claude-code-action@v1

How to fix

Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...

SSRF627

HTTP request with unvalidated URL parameter

high

Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.

examples/apps/approvals/approvals_server.py:159

req = _find_request(request_id)

How to fix

Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.

Shadow MCP Server533

Undocumented dynamic tool registration

high

Detected server.tool() being called with a variable instead of a string literal for the tool name. Dynamic tool registration can be used to inject tools at runtime that were not part of the original server definition.

examples/apps/approvals/approvals_server.py:6

- @app.tool(model=True) for tools accessible from both model and UI

How to fix

Always use static string literals for tool names when calling server.tool(). Avoid registering tools from variables, configuration, or user input.

Runtime Tool Poisoning582

Response referencing or invoking other tools

high

Detected tool responses that attempt to call or invoke other tools (use_tool, call_tool, invoke, execute_tool). A poisoned tool response could trick the LLM into executing additional tools without user consent.

examples/atproto_mcp/demo.py:58

result = await client.call_tool("search", {"query": "Bluesky", "limit": 5})

How to fix

Tool responses should never contain tool invocation patterns. Validate and sanitize all output to ensure it does not include cross-tool call instructions.

Data Exfiltration18

Clipboard or screenshot access for exfiltration

high

Accessing clipboard contents or taking screenshots may be used to capture and exfiltrate sensitive data.

examples/fastmcp_config_demo/server.py:20

def take_screenshot() -> Image:

How to fix

Remove clipboard/screenshot access unless explicitly required by the tool's stated purpose.

Excessive Data Exposure11

Returning entire database records without field filtering

medium

Detected SELECT * or ORM queries without explicit field selection. Returning all columns risks exposing sensitive fields (passwords, tokens, internal IDs) to the client or LLM context.

examples/providers/sqlite/server.py:81

async with db.execute("SELECT * FROM tools WHERE enabled = 1") as cursor:

How to fix

Always specify the exact columns or fields to return. Use SELECT with explicit column names or ORM select/projection options.

Path Traversal56

Windows-style path traversal patterns

high

Backslash-based directory traversal patterns targeting Windows file systems.

examples/skills/client.py:50

print(result[0].text[:500] + "...\n")

How to fix

Normalize path separators and apply traversal checks for both forward and backslashes.

Logging Deficiency137

Empty catch blocks swallowing errors

medium

Detected catch blocks with empty bodies. Empty catch blocks silently swallow errors, making it impossible to diagnose failures, detect attacks, or audit security-relevant events.

src/fastmcp/cli/apps_dev.py:883

.catch(function() {})

How to fix

Always handle or log errors in catch blocks. At minimum, log the error for debugging and auditing purposes.

Rug Pull12

Dynamic import from variable URL

critical

Dynamic imports with variable URLs can load malicious code at runtime.

src/fastmcp/client/mixins/tools.py:383

# avoid a circular import (client.client -> mixins.tools -> client.client),

How to fix

Use static imports only. Do not dynamically import modules from variable paths.

Credential Theft2

Hardcoded API key or token literal

critical

String literals matching known API key prefixes (sk-, ghp_, AKIA, xoxb-, etc.) or long base64-like strings may expose secrets in source code.

tests/conformance/server.py:26

"iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR4"

How to fix

Remove hardcoded secrets from source code. Use environment variables or a secrets manager.

Insecure Communication4

Missing HSTS headers on HTTP server

medium

An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.

tests/conformance/test_conformance.py:26

s.listen(1)

How to fix

Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.

Tool Poisoning1

Cross-tool shadowing of system commands

high

Tool names mimicking built-in system tools (e.g., 'bash', 'shell', 'terminal') can trick the LLM into routing actions to a malicious handler.

tests/experimental/transforms/test_code_mode.py:456

discovery_tools=[Search(name="execute")],

How to fix

Rename the tool to avoid colliding with system commands (bash, shell, exec, etc.).

Command Injection2

Python exec() call

critical

Python's exec() function executes arbitrary code strings and is a vector for code injection.

tests/experimental/transforms/test_code_mode.py:85

exec(wrapped, namespace, namespace)

How to fix

Remove exec() calls. Use ast.literal_eval for safe expression evaluation.

Data Exfiltration18 issues

Insecure Communication4 issues

Excessive Data Exposure11 issues

Logging Deficiency137 issues

Runtime Tool Poisoning582 issues

Shadow MCP Server533 issues

Missing OAuth scope validation

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

.github/actions/run-claude/action.yml:27

claude-oauth-token:

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

.github/actions/run-claude/action.yml:28

description: "Claude Code OAuth token for authentication"

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

.github/actions/run-claude/action.yml:84

claude_code_oauth_token: ${{ inputs.claude-oauth-token }}

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

.github/workflows/martian-test-failure.yml:159

"GITHUB_PERSONAL_ACCESS_TOKEN": "${{ secrets.GITHUB_TOKEN }}"

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

.github/workflows/martian-triage-issue.yml:50

claude-oauth-token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

.github/workflows/marvin-comment-on-issue.yml:55

claude-oauth-token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

.github/workflows/marvin-comment-on-pr.yml:76

claude-oauth-token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/authkit_dcr/client.py:1

"""OAuth client example for connecting to FastMCP servers.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/authkit_dcr/client.py:3

This example demonstrates how to connect to an OAuth-protected FastMCP server.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/authkit_dcr/client.py:12

from fastmcp.client.auth import OAuth

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/authkit_dcr/client.py:21

auth = OAuth(additional_client_metadata={"token_endpoint_auth_method": "none"})

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/aws_oauth/client.py:1

"""OAuth client example for connecting to FastMCP servers.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/aws_oauth/client.py:3

This example demonstrates how to connect to an OAuth-protected FastMCP server.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/aws_oauth/client.py:18

async with Client(SERVER_URL, auth="oauth") as client:

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/aws_oauth/server.py:1

"""AWS Cognito OAuth server example for FastMCP.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/aws_oauth/server.py:22

from fastmcp.server.dependencies import get_access_token

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/aws_oauth/server.py:38

mcp = FastMCP("AWS Cognito OAuth Example Server", auth=auth)

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/aws_oauth/server.py:50

token = get_access_token()

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/azure_oauth/client.py:1

"""OAuth client example for connecting to FastMCP servers.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/azure_oauth/client.py:3

This example demonstrates how to connect to an OAuth-protected FastMCP server.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/azure_oauth/client.py:18

async with Client(SERVER_URL, auth="oauth") as client:

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/clerk_oauth/client.py:1

"""OAuth client example for connecting to a Clerk-protected FastMCP server.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/clerk_oauth/client.py:3

This example demonstrates how to connect to an OAuth-protected FastMCP server

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/clerk_oauth/client.py:19

async with Client(SERVER_URL, auth="oauth") as client:

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/discord_oauth/client.py:1

"""Discord OAuth client example for connecting to FastMCP servers.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/discord_oauth/client.py:3

This example demonstrates how to connect to a Discord OAuth-protected FastMCP server.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/discord_oauth/client.py:18

async with Client(SERVER_URL, auth="oauth") as client:

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/discord_oauth/server.py:1

"""Discord OAuth server example for FastMCP.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/discord_oauth/server.py:3

This example demonstrates how to protect a FastMCP server with Discord OAuth.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/discord_oauth/server.py:6

- FASTMCP_SERVER_AUTH_DISCORD_CLIENT_ID: Your Discord OAuth app client ID

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/discord_oauth/server.py:7

- FASTMCP_SERVER_AUTH_DISCORD_CLIENT_SECRET: Your Discord OAuth app client secret

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/discord_oauth/server.py:25

mcp = FastMCP("Discord OAuth Example Server", auth=auth)

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/github_oauth/client.py:1

"""OAuth client example for connecting to FastMCP servers.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/github_oauth/client.py:3

This example demonstrates how to connect to an OAuth-protected FastMCP server.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/github_oauth/client.py:11

from fastmcp.client import Client, OAuth

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/github_oauth/client.py:18

async with Client(SERVER_URL, auth=OAuth()) as client:

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/github_oauth/server.py:1

"""GitHub OAuth server example for FastMCP.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/github_oauth/server.py:3

This example demonstrates how to protect a FastMCP server with GitHub OAuth.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/github_oauth/server.py:6

- FASTMCP_SERVER_AUTH_GITHUB_CLIENT_ID: Your GitHub OAuth app client ID

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/github_oauth/server.py:7

- FASTMCP_SERVER_AUTH_GITHUB_CLIENT_SECRET: Your GitHub OAuth app client secret

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/github_oauth/server.py:25

mcp = FastMCP("GitHub OAuth Example Server", auth=auth)

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/google_oauth/client.py:1

"""OAuth client example for connecting to FastMCP servers.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/google_oauth/client.py:3

This example demonstrates how to connect to an OAuth-protected FastMCP server.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/google_oauth/client.py:18

async with Client(SERVER_URL, auth="oauth") as client:

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/mounted/client.py:1

"""Mounted OAuth servers client example for FastMCP.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/mounted/client.py:3

This example demonstrates connecting to multiple mounted OAuth-protected MCP servers.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/mounted/client.py:21

async with Client(GITHUB_URL, auth="oauth") as client:

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/mounted/client.py:36

async with Client(GOOGLE_URL, auth="oauth") as client:

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/mounted/server.py:1

"""Mounted OAuth servers example for FastMCP.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/mounted/server.py:3

This example demonstrates mounting multiple OAuth-protected MCP servers in a single

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/mounted/server.py:10

- GitHub discovery: http://localhost:8000/.well-known/oauth-authorization-server/api/mcp/github

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/mounted/server.py:11

- Google discovery: http://localhost:8000/.well-known/oauth-authorization-server/api/mcp/google

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/mounted/server.py:14

- FASTMCP_SERVER_AUTH_GITHUB_CLIENT_ID: Your GitHub OAuth app client ID

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/mounted/server.py:15

- FASTMCP_SERVER_AUTH_GITHUB_CLIENT_SECRET: Your GitHub OAuth app client secret

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/mounted/server.py:16

- FASTMCP_SERVER_AUTH_GOOGLE_CLIENT_ID: Your Google OAuth client ID

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/mounted/server.py:17

- FASTMCP_SERVER_AUTH_GOOGLE_CLIENT_SECRET: Your Google OAuth client secret

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/mounted/server.py:37

# --- GitHub OAuth Server ---

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/mounted/server.py:57

return "This is the GitHub OAuth protected MCP server"

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/mounted/server.py:60

# --- Google OAuth Server ---

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/mounted/server.py:80

return "This is the Google OAuth protected MCP server"

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/mounted/server.py:93

# - /.well-known/oauth-authorization-server/api/mcp/github

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/mounted/server.py:94

# - /.well-known/oauth-authorization-server/api/mcp/google

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/mounted/server.py:109

print("Starting mounted OAuth servers...")

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/mounted/server.py:115

f"  GitHub:  {ROOT_URL}/.well-known/oauth-authorization-server{API_PREFIX}/github"

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/mounted/server.py:118

f"  Google:  {ROOT_URL}/.well-known/oauth-authorization-server{API_PREFIX}/google"

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/propelauth_oauth/client.py:1

"""OAuth client example for connecting to PropelAuth-protected FastMCP servers.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/propelauth_oauth/client.py:3

This example demonstrates how to connect to a PropelAuth OAuth-protected FastMCP server.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/propelauth_oauth/client.py:18

async with Client(SERVER_URL, auth="oauth") as client:

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/scalekit_oauth/client.py:1

"""OAuth client example for connecting to Scalekit-protected FastMCP servers.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/scalekit_oauth/client.py:3

This example demonstrates how to connect to a Scalekit OAuth-protected FastMCP server.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/scalekit_oauth/client.py:18

async with Client(SERVER_URL, auth="oauth") as client:

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/workos_oauth/client.py:1

"""OAuth client example for connecting to FastMCP servers.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/workos_oauth/client.py:3

This example demonstrates how to connect to an OAuth-protected FastMCP server.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/workos_oauth/client.py:18

async with Client(SERVER_URL, auth="oauth") as client:

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/workos_oauth/server.py:1

"""WorkOS OAuth server example for FastMCP.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/workos_oauth/server.py:3

This example demonstrates how to protect a FastMCP server with WorkOS OAuth.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/auth/workos_oauth/server.py:27

mcp = FastMCP("WorkOS OAuth Example Server", auth=auth)

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing rate limiting on endpoint

medium

API endpoints without rate limiting are vulnerable to brute force and denial of service.

examples/tags_example.py:19

@app.get("/users", tags=["users", "public"])

How to fix

Add rate limiting middleware to all public API endpoints.

Missing rate limiting on endpoint

medium

API endpoints without rate limiting are vulnerable to brute force and denial of service.

examples/tags_example.py:25

@app.post("/users", tags=["users", "admin"])

How to fix

Add rate limiting middleware to all public API endpoints.

Missing rate limiting on endpoint

medium

API endpoints without rate limiting are vulnerable to brute force and denial of service.

examples/tags_example.py:31

@app.get("/admin/stats", tags=["admin", "internal"])

How to fix

Add rate limiting middleware to all public API endpoints.

Missing rate limiting on endpoint

medium

API endpoints without rate limiting are vulnerable to brute force and denial of service.

examples/tags_example.py:37

@app.get("/health", tags=["public"])

How to fix

Add rate limiting middleware to all public API endpoints.

Missing rate limiting on endpoint

medium

API endpoints without rate limiting are vulnerable to brute force and denial of service.

examples/tags_example.py:43

@app.get("/metrics")

How to fix

Add rate limiting middleware to all public API endpoints.

No CSRF protection on state-changing endpoint

medium

POST/PUT/DELETE endpoints without CSRF tokens are vulnerable to cross-site request forgery.

examples/tags_example.py:25

@app.post("/users", tags=["users", "admin"])

How to fix

Implement CSRF protection using tokens or SameSite cookies.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

examples/text_me.py:56

"Authorization": f"Bearer {surge_settings.api_key}",

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/cli/client.py:236

Applies ``auth='oauth'`` automatically for HTTP-based targets unless

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/cli/client.py:247

effective_auth = "oauth"

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/cli/client.py:691

help="Auth method: 'oauth', a bearer token string, or 'none' to disable",

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/cli/client.py:691

help="Auth method: 'oauth', a bearer token string, or 'none' to disable",

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/cli/client.py:847

help="Auth method: 'oauth', a bearer token string, or 'none' to disable",

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/cli/client.py:847

help="Auth method: 'oauth', a bearer token string, or 'none' to disable",

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/cli/generate.py:701

help="Auth method: 'oauth', a bearer token string, or 'none' to disable",

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/cli/generate.py:701

help="Auth method: 'oauth', a bearer token string, or 'none' to disable",

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/__init__.py:1

from .auth import OAuth, BearerAuth

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/__init__.py:23

"OAuth",

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/auth/__init__.py:1

from .bearer import BearerAuth

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/auth/__init__.py:2

from .oauth import OAuth

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/auth/__init__.py:2

from .oauth import OAuth

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/auth/__init__.py:4

__all__ = ["BearerAuth", "OAuth"]

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/auth/bearer.py:16

request.headers["Authorization"] = f"Bearer {self.token.get_secret_value()}"

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/oauth_callback.py:2

OAuth callback server for handling authorization code flows.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/oauth_callback.py:4

This module provides a reusable callback server that can handle OAuth redirects

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/oauth_callback.py:37

title: str = "FastMCP OAuth",

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/oauth_callback.py:40

"""Create a styled HTML response for OAuth callbacks."""

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/oauth_callback.py:96

"""Container for OAuth callback results, used with anyio.Event for async coordination."""

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/oauth_callback.py:111

Create an OAuth callback server.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/oauth_callback.py:115

callback_path: The path to listen for OAuth redirects on

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/oauth_callback.py:140

"""Handle OAuth callback requests with proper HTML responses."""

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/oauth_callback.py:178

# Check for missing state parameter (indicates OAuth flow issue)

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/oauth_callback.py:181

"The OAuth server did not return the expected state parameter."

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/oauth_callback.py:226

print("🎭 OAuth Callback Test Server")

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/transports/http.py:19

from fastmcp.client.auth.bearer import BearerAuth

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/transports/http.py:20

from fastmcp.client.auth.oauth import OAuth

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/transports/http.py:20

from fastmcp.client.auth.oauth import OAuth

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/transports/http.py:34

auth: httpx.Auth | Literal["oauth"] | str | None = None,

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/transports/http.py:44

auth: Authentication method - httpx.Auth, "oauth" for OAuth flow,

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/transports/http.py:44

auth: Authentication method - httpx.Auth, "oauth" for OAuth flow,

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/transports/http.py:45

or a bearer token string.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/transports/http.py:99

def _set_auth(self, auth: httpx.Auth | Literal["oauth"] | str | None):

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/transports/http.py:101

if auth == "oauth":

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/transports/http.py:102

resolved = OAuth(

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/transports/http.py:107

elif isinstance(auth, OAuth):

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/transports/http.py:109

# Only inject the transport's factory into OAuth if OAuth still

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/transports/http.py:109

# Only inject the transport's factory into OAuth if OAuth still

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/transports/sse.py:18

from fastmcp.client.auth.bearer import BearerAuth

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/transports/sse.py:19

from fastmcp.client.auth.oauth import OAuth

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/transports/sse.py:19

from fastmcp.client.auth.oauth import OAuth

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/transports/sse.py:32

auth: httpx.Auth | Literal["oauth"] | str | None = None,

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/transports/sse.py:66

def _set_auth(self, auth: httpx.Auth | Literal["oauth"] | str | None):

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/transports/sse.py:68

if auth == "oauth":

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/transports/sse.py:69

resolved = OAuth(

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/transports/sse.py:74

elif isinstance(auth, OAuth):

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/transports/sse.py:76

# Only inject the transport's factory into OAuth if OAuth still

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/client/transports/sse.py:76

# Only inject the transport's factory into OAuth if OAuth still

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/dependencies.py:14

CurrentAccessToken,

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/dependencies.py:27

"CurrentAccessToken",

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/mcp_config.py:219

str | Literal["oauth"] | httpx.Auth | None,

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/mcp_config.py:221

description='Either a string representing a Bearer token, the literal "oauth" to use OAuth authentication, or an httpx.Auth instance for custom authentication.',

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/mcp_config.py:221

description='Either a string representing a Bearer token, the literal "oauth" to use OAuth authentication, or an httpx.Auth instance for custom authentication.',

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/mcp_config.py:221

description='Either a string representing a Bearer token, the literal "oauth" to use OAuth authentication, or an httpx.Auth instance for custom authentication.',

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/server/auth/handlers/authorize.py:54

discovery_endpoint: URL of the OAuth metadata discovery endpoint

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/server/auth/handlers/authorize.py:76

<p>Your MCP client opened this page to complete OAuth authorization,

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/server/auth/handlers/authorize.py:92

OAuth 2.0 requires clients to register before authorization.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/server/auth/handlers/authorize.py:96

In browser-delegated OAuth flows, your application cannot

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/server/auth/handlers/authorize.py:172

This maintains OAuth 2.1 compliance (returns 400 for invalid client_id)

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/server/auth/handlers/authorize.py:186

provider: OAuth authorization server provider

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/server/auth/handlers/authorize.py:259

discovery_endpoint = f"{self._base_url}/.well-known/oauth-authorization-server"

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/server/auth/handlers/authorize.py:317

f'<{registration_endpoint}>; rel="http://oauth.net/core/2.1/#registration"'

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/server/auth/oauth_proxy/__init__.py:1

"""OAuth Proxy Provider for FastMCP.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/server/auth/oauth_proxy/__init__.py:3

This package provides OAuth proxy functionality split across multiple modules:

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/server/auth/redirect_validation.py:1

"""Utilities for validating client redirect URIs in OAuth flows.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/server/event_store.py:80

# PydanticAdapter for type-safe storage (following OAuth proxy pattern)

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/server/mixins/transport.py:114

which can be useful for OAuth callbacks, health checks, or admin APIs.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/utilities/tests.py:16

from fastmcp.client.auth.oauth import OAuth

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/utilities/tests.py:16

from fastmcp.client.auth.oauth import OAuth

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/utilities/tests.py:225

class HeadlessOAuth(OAuth):

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/utilities/tests.py:225

class HeadlessOAuth(OAuth):

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/utilities/tests.py:227

OAuth provider that bypasses browser interaction for testing.

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/utilities/tests.py:229

This simulates the complete OAuth flow programmatically by making HTTP requests

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/utilities/tests.py:234

"""Initialize HeadlessOAuth with stored response tracking."""

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/utilities/tests.py:263

f"OAuth authorization failed: {error} - {error_desc}"

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/utilities/ui.py:4

This module provides reusable HTML/CSS components for OAuth callbacks,

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

src/fastmcp/utilities/ui.py:304

# Redirect section styles (for OAuth redirect URI box)

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

tests/client/client/test_auth.py:7

from fastmcp.client.auth.bearer import BearerAuth

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

tests/client/client/test_auth.py:22

Client(transport=StdioTransport("echo", ["hello"]), auth="oauth")

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

tests/client/client/test_auth.py:26

transport=StreamableHttpTransport("http://localhost:8000"), auth="oauth"

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

tests/client/client/test_auth.py:33

transport=StreamableHttpTransport("http://localhost:8000", auth="oauth"),

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

tests/client/client/test_auth.py:39

client = Client(transport=SSETransport("http://localhost:8000"), auth="oauth")

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

tests/client/client/test_auth.py:44

client = Client(transport=SSETransport("http://localhost:8000", auth="oauth"))

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

tests/client/client/test_transport.py:71

"headers": {"Authorization": "Bearer 123"},

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

tests/client/client/test_transport.py:79

assert transport.transport.headers == {"Authorization": "Bearer 123"}

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

tests/client/client/test_transport.py:117

"headers": {"Authorization": "Bearer 123"},

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

tests/client/test_oauth_callback_xss.py:1

"""Comprehensive XSS protection tests for OAuth callback HTML rendering."""

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing rate limiting on endpoint

medium

API endpoints without rate limiting are vulnerable to brute force and denial of service.

tests/client/test_openapi.py:17

@app.get("/headers")

How to fix

Add rate limiting middleware to all public API endpoints.

Missing rate limiting on endpoint

medium

API endpoints without rate limiting are vulnerable to brute force and denial of service.

tests/client/test_openapi.py:21

@app.get("/headers/{header_name}")

How to fix

Add rate limiting middleware to all public API endpoints.

Missing rate limiting on endpoint

medium

API endpoints without rate limiting are vulnerable to brute force and denial of service.

tests/client/test_openapi.py:25

@app.post("/headers")

How to fix

Add rate limiting middleware to all public API endpoints.

No CSRF protection on state-changing endpoint

medium

POST/PUT/DELETE endpoints without CSRF tokens are vulnerable to cross-site request forgery.

tests/client/test_openapi.py:25

@app.post("/headers")

How to fix

Implement CSRF protection using tokens or SameSite cookies.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

tests/client/transports/test_no_redirect.py:50

headers={"Authorization": "Bearer secret-token"},

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

tests/client/transports/test_no_redirect.py:85

headers={"Authorization": "Bearer secret-token"},

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

tests/client/transports/test_no_redirect.py:89

assert received_headers.get("authorization") == "Bearer secret-token"

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

tests/client/transports/test_no_redirect.py:94

"Bearer my-secret-token",

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

tests/client/transports/test_no_redirect.py:164

headers={"Authorization": "Bearer secret"},

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

tests/client/transports/test_transports.py:10

from fastmcp.client.auth.oauth import OAuth

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

tests/client/transports/test_transports.py:10

from fastmcp.client.auth.oauth import OAuth

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

tests/client/transports/test_transports.py:20

auth="oauth",

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

tests/client/transports/test_transports.py:23

assert isinstance(transport.auth, OAuth)

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

tests/client/transports/test_transports.py:38

auth="oauth",

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

tests/client/transports/test_transports.py:41

assert isinstance(transport.auth, OAuth)

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

tests/client/transports/test_transports.py:135

async def test_streamable_http_verify_propagates_to_oauth(self):

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

tests/client/transports/test_transports.py:139

auth="oauth",

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

tests/client/transports/test_transports.py:141

assert isinstance(transport.auth, OAuth)

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.

Missing OAuth scope validation

medium

OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.

tests/client/transports/test_transports.py:148

async def test_sse_verify_propagates_to_oauth(self):

How to fix

Validate OAuth scopes on every endpoint. Check that the token has required permissions.