Skip to content

FastMCP

v4.0.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 1mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

mcp sse

Affected surfaces

auth

Summary

AI summary

OAuthProxy no longer defaults allowedRedirectUriPatterns; explicit configuration required.

Full changelog

4.0.0 (2026-04-13)

  • fix(auth)!: validate redirect_uri in OAuthProxy.authorize (CWE-601) (5478753)

Bug Fixes

BREAKING CHANGES

  • OAuthProxy no longer defaults allowedRedirectUriPatterns
    to ["https://", "http://localhost:"]. Deployments that relied on the
    old default must configure the URIs they trust explicitly, e.g.
    allowedRedirectUriPatterns: ["https://yourapp.example.com/*"]. Without
    this, DCR will reject all registrations and /oauth/authorize will
    reject all requests.

Breaking Changes

  • OAuthProxy no longer defaults allowedRedirectUriPatterns to ["https://*", "http://localhost:*"]. Explicit configuration of trusted URIs is now required.

Security Fixes

  • CVE-2026-XXXXX (CWE-601) — validate redirect_uri in OAuthProxy.authorize
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track FastMCP

Get notified when new releases ship.

Sign up free

About FastMCP

A high-level framework for building MCP servers in TypeScript

All releases →

Related context

Beta — feedback welcome: [email protected]