| Version | Supported |
|---|---|
| 3.x | ✅ |
| 2.x | ❌ |
| 1.x | ❌ |
| 0.x | ❌ |
Please report security vulnerabilities privately using GitHub's security advisory feature. Do not open public issues for security concerns.
We accept reports for vulnerabilities in FastMCP itself — the library code in this repository.
The following are out of scope:
- Vulnerabilities in third-party dependencies or the MCP SDK itself. We'll bump version floors for known CVEs, but the fix belongs upstream.
- Limitations of upstream identity providers that FastMCP cannot control.
- Issues that require the attacker to already have server-side access or control of the MCP server configuration.
When we receive a valid report:
- We triage the report and determine whether it affects FastMCP directly.
- We develop and test a fix on a private branch.
- We coordinate CVE assignment through GitHub's advisory process when warranted.
- We publish the advisory and release a patched version.
- We credit the reporter in the advisory (unless they prefer otherwise).