cameronrye/activitypub-mcp

v3.0.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 1d MCP Data & Storage

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

activitypub fedify fediverse mcp mcp-server webfinger

Affected surfaces

auth

ReleasePort's take

Moderate signal

editorial:auto 1d

Version v3.0.1 strips credentials on cross‑origin HTTP redirects to prevent leakage.

Why it matters: Cross‑origin redirect handling now removes auth tokens, mitigating credential exposure risk in affected surface areas.

Summary

AI summary

Strip credentials on cross‑origin redirects to prevent leakage.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Strip credentials on cross-origin redirects. Strip credentials on cross-origin redirects. Source: llm_adapter@2026-06-03 Confidence: high	—
Feature	Low	Adds official MCP registry manifest support. Adds official MCP registry manifest support. Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Fixes Misskey `get-home-timeline` pagination mapping. Fixes Misskey `get-home-timeline` pagination mapping. Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Improves resilient remote fetches with retry and tolerance for ActivityStreams fields. Improves resilient remote fetches with retry and tolerance for ActivityStreams fields. Source: llm_adapter@2026-06-03 Confidence: high	—

Full changelog

[3.0.1] - 2026-06-02

Security

Strip credentials on cross-origin redirects. Authorization, Cookie, and the request body are dropped when an outbound fetch is redirected to a different origin, so credentials can never leak to an unexpected host.

Added

Official MCP registry manifest. A server.json and a mcpName marker in package.json let the server be published to the MCP Registry — npm package, stdio transport, read-only by default. See docs/distribution.md for the publishing playbook.

Fixed

Misskey get-home-timeline pagination. minId is now mapped to the correct Misskey API parameter.
Resilient remote fetches. Outbound requests honor Retry-After, retry transient (5xx / network) failures with backoff, and tolerate ActivityStreams to/cc delivered as a single string instead of an array.

Security Fixes

Strip `Authorization`, `Cookie`, and request body on cross‑origin redirects — prevents credential leakage

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track cameronrye/activitypub-mcp

Get notified when new releases ship.

About cameronrye/activitypub-mcp

A comprehensive MCP server that enables LLMs to explore and interact with the Fediverse through ActivityPub protocol. Features WebFinger discovery, timeline fetching, instance exploration, and cross-platform support for Mastodon, Pleroma, Misskey, and other ActivityPub servers.

All releases →

Related context

Related tools

Earlier breaking changes

v2.1.0 `activitypub://instance-info/{domain}` `software` field now an object instead of a string.
v2.1.0 Removed `activitypub://post-thread/{postUrl}` URI form; use `{domain}/{statusId}` instead.
v2.0.0 'get-relationship' no longer accepts legacy `accountIds` array; requires single `acct` string.
v2.0.0 `MCP_HTTP_CORS_ORIGINS` no longer defaults to '*'; must be set explicitly.
v2.0.0 `scheduledId` renamed to `scheduledPostId` in scheduling tools.