CVE-2025-69196

Name: CVE-2025-69196 — Vulnerability Record
Brand: Quanteta Data Lab
SKU: CVE-2025-69196

MEDIUM

CVSS v3.1: 6.5 · EPSS: 0.0028 (19.6 percentile)

NetworkNo privilegesIncorrect AuthorizationVendor advisory ref

Source data as of: 2026-06-30 05:13:05 UTC

At a glance

Severity: MEDIUM
CVSS: 6.5 v3.1 · NVD
EPSS: 0.0028 (19.6 percentile) · FIRST.org
CISA KEV: No
Type: Incorrect Authorization · NVD CWE
Attack conditions (CVSS vector): NetworkNo privileges · Source: NVD Vector
Affected vendors: jlowin
Published: 2026-03-16 · Modified: 2026-06-30
References: Jump to references (4)

CVSS / EPSS / KEV

CVSS v3.1 6.5 / 10 MEDIUM Source: NVD

CVSS v4.0 7.4 / 10 HIGH Source: NVD

EPSS 0.0028 19.6 percentile Source: FIRST.org

CISA KEV No Source: CISA

Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources

Description

FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for the MCP server, the token is issued for the base_url passed to the OAuthProxy during initialization. This issue has been patched 2.14.2.

Record details

CVE ID: CVE-2025-69196
CVSS (v3.1): 6.5 (MEDIUM)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Exploitability subscore: 2.8
Impact subscore: 3.6
EPSS: 0.0028 (19.6 percentile) — 2026-06-30
CISA KEV: No
Weakness (CWE): CWE-863, CWE-1220
Affected vendors: jlowin
Affected configurations (CPE): 1
Published: 2026-03-16
Modified: 2026-06-30
Status: Modified

References

Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.

← Back to all records

CVE-2025-69196

At a glance

CVSS / EPSS / KEV

Description

Record details

References

Related records

Same affected vendor

Same weakness type (CWE)

Published the same year