Bump FastMCP from 2.13.1 to 3.2.4 and MCP from 1.22.0 to 1.27.0
to remediate CVE-2026-32871 (GHSA-vv7q-7jx5-f767), as flagged by
Docker Scout.
Add a regression test covering OpenAPI path-parameter escaping so
malicious values like ../../../admin/delete-all? remain percent-encoded
under the intended route prefix instead of resolving to a different
backend path.
Validation:
- smoke-tested Agent Zero MCP initialization against fastmcp 3.2.4 + mcp 1.27.0
- PYTHONPATH=/tmp/agent-zero-testdeps python3 -m pytest tests/test_fastmcp_openapi_security.py -q
Refs:
- CVE-2026-32871
- Docker Scout: https://scout.docker.com/vulnerabilities/id/CVE-2026-32871
- GitHub advisory: https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-vv7q-7jx5-f767
- Related upstream issue: https://github.com/agent0ai/agent-zero/issues/1526
