Skip to content

fix: upgrade fastmcp to >=3.2.0 to resolve CVE-2026-32871 (CVSS 10.0)#220

Open
jesus-talavera-ibm wants to merge 1 commit into
Qiskit:mainfrom
jesus-talavera-ibm:fix/upgrade-fastmcp-3
Open

fix: upgrade fastmcp to >=3.2.0 to resolve CVE-2026-32871 (CVSS 10.0)#220
jesus-talavera-ibm wants to merge 1 commit into
Qiskit:mainfrom
jesus-talavera-ibm:fix/upgrade-fastmcp-3

Conversation

@jesus-talavera-ibm

Copy link
Copy Markdown
Contributor

Summary

  • Upgrades fastmcp from >=2.x,<3 to >=3.2.0,<4 across all 5 servers
  • Fixes 6 security vulnerabilities (ref: github.ibm.com/ai-models-architectures/QiskitMCP-Bench/issues/7)
  • Updates tests to use fastmcp 3.x public API instead of private internals

CVEs Resolved

CVE Severity CVSS Component Fix
CVE-2026-32871 Critical 10.0 fastmcp (direct) fastmcp >=3.2.0
CVE-2026-49852 High 7.5 joserfc (transitive) joserfc >=1.6.8
CVE-2026-7246 High 7.2 click (transitive) click >=8.3.3
CVE-2026-44681 Medium 6.1 authlib (transitive) authlib >=1.7.1
CVE-2026-41479 Medium 5.4 authlib (transitive) authlib >=1.7.1
CVE-2026-48990 Medium 5.3 joserfc (transitive) joserfc >=1.6.7

Test plan

  • uv run pytest passes in all 5 server directories
  • uv run ruff check passes in all test files
  • CI passes on all servers

Bumps fastmcp from 2.x to >=3.2.0,<4 across all servers, fixing:
- CVE-2026-32871 (Critical 10.0): SSRF via path traversal in OpenAPIProvider
- CVE-2026-49852 (High 7.5): HMAC empty-key auth bypass in joserfc
- CVE-2026-7246 (High 7.2): command injection in click
- CVE-2026-44681, CVE-2026-41479, CVE-2026-48990 (Medium)

Updates tests to use fastmcp 3.x public API (list_tools/list_resources/
list_prompts/list_resource_templates) instead of private internals.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesus-talavera-ibm

Copy link
Copy Markdown
Contributor Author

The test-transpiler failures are pre-existing and unrelated to this PR.
Those integration tests call real IBM Quantum APIs using QISKIT_IBM_TOKEN from repository secrets, which aren't available on fork PRs — so all _success scenarios return "error" instead of "success".
All unit tests, including the ones modified in this PR, pass across all Python versions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant