This release includes 1 security fix for security teams reviewing exposed deployments.
Published 1mo
MCP Developer Tools
✓ No known CVEs patched
This release patches 1 known CVE
Topics
ai-agents
anthropic
api-gateway
api-to-mcp
chatgpt
claude
+14 more
database
gemini
graphql
llm-tools
mcp
mcp-gateway
mcp-middleware
mcp-proxy
mcp-server
model-context-protocol
openapi
rest
self-hosted
soap
Affected surfaces
auth
rbac
Summary
AI summaryToolRegistry uses globally unique tool IDs as primary keys, preventing cross‑org tool collisions.
Full changelog
What's Changed
Security Fix
- Cross-org tool collision: ToolRegistry now uses tool ID (globally unique) as primary key instead of tool name. Prevents org A from accidentally executing org B's tool when both have tools with the same name.
- Tool lookup scoped to connector IDs of the requesting MCP server.
Bug Fixes
- Trial banner no longer shows on login/register pages
- License status endpoint returns empty in cloud mode without auth
- Email fallback finds license key from DB when site_settings is stale
- Cloud registration correctly assigns ADMIN role to org creator
Improvements
- Docker workflow now tags both version + latest in a single build (was two separate builds)
Breaking Changes
- ToolRegistry primary key changed from tool name to globally unique tool ID
Security Fixes
- CVE‑2024‑XXXXX – Cross‑org tool collision fixed by using globally unique tool IDs as primary keys in ToolRegistry; lookup now scoped to connector IDs of the requesting MCP server.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About AnythingMCP
All releases →Related context
Beta — feedback welcome: [email protected]