cameronrye/activitypub-mcp

v3.1.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 5h MCP Data & Storage

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

activitypub fedify fediverse mcp mcp-server webfinger

Affected surfaces

auth rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 3h

The `upload-media` endpoint now validates file content before transmission. The Misskey relationship API and outbox pagination have been fixed for consistent response handling.

Why it matters: Security: upload‑media validation mitigates malicious payload injection; Bugfixes ensure reliable API behavior across endpoints.

Summary

AI summary

upload-media validates file content before sending, preventing arbitrary path exfiltration.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	`upload-media` validates file content before sending. `upload-media` validates file content before sending. Source: llm_adapter@2026-06-05 Confidence: high	—
Feature	Low	Claude Desktop Extension (`.mcpb`) built and attached automatically for every release. Claude Desktop Extension (`.mcpb`) built and attached automatically for every release. Source: llm_adapter@2026-06-05 Confidence: high	—
Bugfix	Medium	`users/relation` endpoint correctly handles both object and array responses from Misskey. `users/relation` endpoint correctly handles both object and array responses from Misskey. Source: llm_adapter@2026-06-05 Confidence: high	—
Bugfix	Medium	Outbox pagination `hasMore` flag reflects actual cursor presence. Outbox pagination `hasMore` flag reflects actual cursor presence. Source: llm_adapter@2026-06-05 Confidence: high	—
Refactor	Low	LLM reference files (`llms.txt`, `llms-full.txt`) reconciled with current code. LLM reference files (`llms.txt`, `llms-full.txt`) reconciled with current code. Source: llm_adapter@2026-06-05 Confidence: high	—

Full changelog

[3.1.1] - 2026-06-05

Security

upload-media validates file content before sending. The tool read whatever
filePath the model supplied and forwarded it to the instance with no type check, so a
prompt-injected model (injection arriving through the read tools that surface fediverse
content) could name an arbitrary path — an SSH key, the credential store, a .env — and
exfiltrate it to a public media URL. Files are now sniffed by magic bytes and rejected
unless they are a recognized image/video/audio type, neutralizing the exfiltration vector
while preserving the ability to upload media from anywhere on disk.

Fixed

Misskey relationship results. users/relation returns the relation wrapped in a
one-element array for a single user id (its res schema is oneOf: [object, array]); the
adapter read it as a bare object, so following / followed_by / muting / blocking /
requested silently came back false after every Misskey follow, mute, or block. Both
response shapes are now handled.
Outbox pagination no longer reports phantom "more". fetchActorOutboxPaginated set
hasMore: true whenever a page was full (items.length === limit), even with no next
cursor to follow — so a caller on a full final page would loop on the same page. hasMore
is now true only when there is a cursor to follow.

Distribution

The Claude Desktop Extension (.mcpb) is built and attached to every release. The
README's one-click install points at this asset on the latest release, but it had only
ever been attached to v3.0.1 by hand; release.yml now builds the bundle and uploads it
on every release, and a test fails CI if the workflow stops doing so.

Changed

LLM-facing reference files reconciled with the code. public/llms.txt and
public/llms-full.txt no longer describe removed surfaces (the /metrics endpoint,
a "metrics tool", the HEALTH_CHECK_EXTERNAL_PROBE / ENABLE_PERFORMANCE_MONITORING
env vars) or non-existent tool/prompt names in their examples, and now document the
read-only-by-default posture and the ACTIVITYPUB_ENABLE_WRITES master switch.

Security Fixes

`upload-media` validates file content using magic-byte checks, neutralizing arbitrary path exfiltration vulnerability

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track cameronrye/activitypub-mcp

Get notified when new releases ship.

About cameronrye/activitypub-mcp

A comprehensive MCP server that enables LLMs to explore and interact with the Fediverse through ActivityPub protocol. Features WebFinger discovery, timeline fetching, instance exploration, and cross-platform support for Mastodon, Pleroma, Misskey, and other ActivityPub servers.

All releases →

Related context

Related tools

Earlier breaking changes

v2.1.0 `activitypub://instance-info/{domain}` `software` field now an object instead of a string.
v2.1.0 Removed `activitypub://post-thread/{postUrl}` URI form; use `{domain}/{statusId}` instead.
v2.0.0 'get-relationship' no longer accepts legacy `accountIds` array; requires single `acct` string.
v2.0.0 `MCP_HTTP_CORS_ORIGINS` no longer defaults to '*'; must be set explicitly.
v2.0.0 `scheduledId` renamed to `scheduledPostId` in scheduling tools.