This release fixes issues for SREs watching stability and regressions.
✓ No known CVEs patched in this version
Topics
+12 more
Affected surfaces
Summary
AI summaryFixes silent auth failure for bearer‑flow profiles using env password sources.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Bugfix | Medium |
Fixes silent auth failure for bearer flow profiles with env password source. Fixes silent auth failure for bearer flow profiles with env password source. Source: llm_adapter@2026-05-25 Confidence: high |
— |
Full changelog
Patch follow-up to 0.15.0 closing a silent auth failure on the headline flow: bearer profiles.
Fixed
- MCP bearer-flow auth profile resolution (
mcp_server/auth.py). Profiles declaringflow: bearerwithpassword_source: envsilently fell back to form-post:resolve_auth_profile_to_dictignoredprof.flowand returned aform_postdict for any password-source profile. Downstream POSTed form-encoded credentials to JSON-only endpoints like Juice Shop/rest/user/loginand the login silently failed withauth_profile '<name>' could not be resolved or login failed. Adds abearer_dynamicbranch on both sides of the resolver. Two integration tests cover the dict shape and the async POST→JWT path. Validated end-to-end against Juice Shop v19.2.1 (8 phases completed, 100 findings, same 43/68 catch set as the 0.15.0 deterministic baseline).
Install
pip install ptai==0.15.1
PyPI: https://pypi.org/project/ptai/0.15.1/
Full notes in CHANGELOG.md.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About pentest-ai
Offensive-security MCP server with 205 wrapped tools, 17 specialist agents, and 60 SPA-aware probes for OWASP Top 10. CLI + MCP, BYO LLM. No API key needed on MCP path.
Related context
Related tools
Beta — feedback welcome: [email protected]