fastmcp

v3.4.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 6h AI Coding Tools

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

agents fastmcp llms mcp mcp-clients mcp-servers

+3 more

mcp-tools model-context-protocol python

Affected surfaces

deps

ReleasePort's take

Moderate signal

editorial:auto 5h

Floors Starlette at >=1.0.1 to block CVE-2026-48710 vulnerable versions; OAuthProxy now logs refresh‑token cache misses instead of failing silently.

Why it matters: CVE‑2026‑48710 (severity 90) is mitigated by updating Starlette to version 1.0.1 or newer; the change improves observability of token‑cache failures in OAuthProxy.

Summary

AI summary

Updates Enhancements ✨, Security 🔒, and Docs 📚 across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Floors Starlette at >=1.0.1, blocking CVE-2026-48710 vulnerable versions. Floors Starlette at >=1.0.1, blocking CVE-2026-48710 vulnerable versions. Source: llm_adapter@2026-06-05 Confidence: high	—
Bugfix	Medium	OAuthProxy now logs refresh-token cache misses instead of failing silently. OAuthProxy now logs refresh-token cache misses instead of failing silently. Source: llm_adapter@2026-06-05 Confidence: high	—

Full changelog

FastMCP 3.4.1 floors Starlette at >=1.0.1 so installs can no longer resolve to a version affected by CVE-2026-48710 — previously the dependency was only constrained transitively through mcp, which allowed vulnerable versions. It also makes OAuthProxy log refresh-token cache misses instead of failing silently.

What's Changed

Enhancements ✨

Log refresh-token misses in OAuthProxy instead of failing silently by @jlowin in https://github.com/PrefectHQ/fastmcp/pull/4276

Security 🔒

Add explicit starlette>=1.0.1 floor (CVE-2026-48710) by @jlowin in https://github.com/PrefectHQ/fastmcp/pull/4286

Docs 📚

Document --notes-start-tag in release instructions by @jlowin in https://github.com/PrefectHQ/fastmcp/pull/4275

Full Changelog: https://github.com/PrefectHQ/fastmcp/compare/v3.4.0...v3.4.1

Breaking Changes

Minimum Starlette version raised to >=1.0.1

Security Fixes

CVE-2026-48710 — Starlette vulnerable versions blocked by explicit >=1.0.1 floor

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track fastmcp

Get notified when new releases ship.

About fastmcp

The fast, Pythonic way to build MCP servers and clients.

All releases →

Related context

Related tools

Related CVEs

CVE-2026-48710 NVD KEV EPSS

Earlier breaking changes

v3.4.0 Proxy initialize now forwards upstream initialization, failing loudly on errors.