Skip to content

CodeAbra/iai-mcp

v0.3.2 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 21d MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

ai-agents ai-memory claude claude-code embeddings episodic-memory
+13 more
lancedb llm-tools local-first long-term-memory mcp mcp-server memory model-context-protocol openclaw python semantic-search sentence-transformers vector-db

Affected surfaces

auth

ReleasePort's take

Light signal
editorial:auto 13d

Session precache files in v0.3.2 are now created with secure permissions (mode 0600) instead of world-readable (0644), preventing unauthorized access to decrypted payloads on shared systems.

Why it matters: Decrypted session payloads were world-readable in precache files (0644), exposing them locally. v0.3.2 fixes with mode 0600. Upgrade immediately on shared systems.

Summary

AI summary

Precache file created with mode 0600 to fix world‑readable decrypted payload vulnerability.

Changes in this release

Security Medium

Session precache file now created with secure mode 0600 instead of 0644

Session precache file now created with secure mode 0600 instead of 0644

Source: llm_adapter@2026-05-21

Confidence: low
Full changelog

Security

Precache file (~/.iai-mcp/.session-start-payload.cached.md) now created with mode 0600 instead of process umask default (was 0644 world-readable).

If you are running v0.3.1, upgrade immediately — the decrypted recall payload was readable by other local users.

Security Fixes

  • File ~/.iai-mcp/.session-start-payload.cached.md now created with mode 0600 (was 0644), preventing other local users from reading the decrypted recall payload.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track CodeAbra/iai-mcp

Get notified when new releases ship.

Sign up free

About CodeAbra/iai-mcp

All releases →

Related context

Earlier breaking changes

  • v0.4.0 Hook log marker format changed from 'cache-hit fresh' to 'cache-hit age='
  • v0.4.0 Deferred-capture retry replaces old rename-once-and-skip behavior
  • v0.4.0 Removed 24-hour staleness cap from session-recall hook
  • v0.2.0 IAI_MCP_EMBED_QUANTIZE accepts only int8 (lowercase) or unset; other values crash daemon at startup.

Beta — feedback welcome: [email protected]