| Auditor | Findings | Max CVSS | Score |
|---|---|---|---|
| auth | 2 | 8.6 | 75/100 |
| tools | 1 | 6.8 | 90/100 |
| CWE | CWE-287 — Improper Authentication |
| Detection | endpoint |
| Effort | high |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
Entry point of the entire MCP auth discovery chain is missing. MCP clients cannot determine authorization server location, cannot discover required scopes, and per the spec MUST fail the connection attempt. The server has no machine-readable auth mechanism.
Serve RFC 9728 compliant metadata at /.well-known/oauth-protected-resource with 'authorization_servers' array. Alternatively, include resource_metadata URI in WWW-Authenticate header on 401 responses. FastMCP serves this endpoint automatically when any auth provider is configured.
# FastMCP — automatic endpoint, just configure auth
from fastmcp import FastMCP
from fastmcp.server.auth import OAuthProvider
mcp = FastMCP(
name='My Server',
auth=OAuthProvider(...)
)
# /.well-known/oauth-protected-resource served automatically
MCP-SPEC-AUTH: Protected Resource Metadata Discovery RequirementsRFC9728: Protected Resource MetadataOWASP-MCP07: MCP07 — Insufficient Authentication & AuthorizationFMCP-TIER1: TokenVerifier — minimum auth tier| CWE | CWE-287 — Improper Authentication |
| Detection | endpoint |
| Effort | high |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H |
MCP clients cannot verify PKCE support, discover token endpoint, or check DCR support. The spec requires clients to refuse authorization if neither discovery mechanism returns valid metadata.
Serve OAuth 2.0 Authorization Server Metadata at /.well-known/oauth-authorization-server (preferred) or OpenID Connect Discovery at /.well-known/openid-configuration. FastMCP OAuthProvider serves this automatically.
# FastMCP OAuthProvider serves AS metadata automatically
from fastmcp import FastMCP
from fastmcp.server.auth import OAuthProvider
mcp = FastMCP(
name='My Server',
auth=OAuthProvider(
issuer='https://auth.example.com',
# ... provider config
)
)
# /.well-known/oauth-authorization-server served automatically
MCP-SPEC-AUTH: Authorization Server Metadata Discovery — MUST support RFC 8414 or OIDCRFC8414: OAuth 2.0 Authorization Server MetadataOWASP-MCP07: MCP07 — Insufficient Authentication & Authorization| CWE | CWE-20 — Improper Input Validation |
| Detection | introspection |
| Effort | low |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N |
Unconstrained string parameters for file paths, URLs, commands, or structured content are the entry point for injection attacks. Without maxLength, pattern, or enum constraints, LLM-generated inputs can contain path traversal sequences (../), shell metacharacters, or oversized payloads.
Add JSON Schema validation constraints to all sensitive parameters. Use 'maxLength' to prevent oversized inputs, 'pattern' for format enforcement, and 'enum' for known-value parameters.
from pydantic import Field
# BAD — unconstrained path parameter
@mcp.tool()
def read_file(path: str) -> str: # ❌ no constraints
...
# GOOD — constrained with validation
@mcp.tool()
def read_file(
path: str = Field(
max_length=255,
pattern=r'^[a-zA-Z0-9_/.-]+$', # no ../ or special chars
description='Relative file path within the workspace'
)
) -> str:
...
OWASP-MCP05: MCP05 — Command Injection & ExecutionMCP-SPEC-INPUT: Input Validation — tool input sanitizationOWASP-LLM02: LLM02 — Insecure Output Handling| # | Finding | Severity | CVSS | Effort | Action |
|---|---|---|---|---|---|
| 1 | MCP-AUTH-001 | critical | 8.6 | high | Serve RFC 9728 compliant metadata at /.well-known/oauth-protected-resource with 'authorization_serve... |
| 2 | MCP-AUTH-006 | high | 7.2 | high | Serve OAuth 2.0 Authorization Server Metadata at /.well-known/oauth-authorization-server (preferred)... |
| 3 | MCP-TOOL-004 | high | 6.8 | low | Add JSON Schema validation constraints to all sensitive parameters. Use 'maxLength' to prevent overs... |
| Standard | Findings |
|---|---|
FMCP-TIER1 | MCP-AUTH-001 |
MCP-SPEC-AUTH | MCP-AUTH-001, MCP-AUTH-006 |
MCP-SPEC-INPUT | MCP-TOOL-004 |
OWASP-LLM02 | MCP-TOOL-004 |
OWASP-MCP05 | MCP-TOOL-004 |
OWASP-MCP07 | MCP-AUTH-001, MCP-AUTH-006 |
RFC8414 | MCP-AUTH-006 |
RFC9728 | MCP-AUTH-001 |