AnythingMCP

v0.1.27 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 15d MCP Developer Tools

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

ai-agents anthropic api-gateway api-to-mcp chatgpt claude

+14 more

database gemini graphql llm-tools mcp mcp-gateway mcp-middleware mcp-proxy mcp-server model-context-protocol openapi rest self-hosted soap

Affected surfaces

auth rbac

Summary

AI summary

License entitlements are now scoped to each organization in cloud mode, fixing cross‑tenant leaks.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Cross-tenant license entitlement leak in cloud mode fixed. Cross-tenant license entitlement leak in cloud mode fixed. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Bugfix
Bugfix	Medium	`getCurrentLicense` now returns null for unlicensed organizations in cloud. `getCurrentLicense` now returns null for unlicensed organizations in cloud. Source: granite4.1:30b@2026-05-19-audit Confidence: low	—
Bugfix	Medium	`verifyLicense` is scoped to the calling organizationId in cloud. `verifyLicense` is scoped to the calling organizationId in cloud. Source: granite4.1:30b@2026-05-19-audit Confidence: low	—
Bugfix	Medium	`setLicenseKey` and `requestTrialLicense` no longer write global pointer in cloud; store organizationId on trial record. `setLicenseKey` and `requestTrialLicense` no longer write global pointer in cloud; store organizationId on trial record. Source: granite4.1:30b@2026-05-19-audit Confidence: low	—
Refactor	Low	`verifyOnStartup` becomes a no‑op in cloud mode. `verifyOnStartup` becomes a no‑op in cloud mode. Source: granite4.1:30b@2026-05-19-audit Confidence: low	—

Full changelog

Highlights

Security/billing fix: cross-tenant license entitlement leak in cloud mode.

Pre-fix, an org with zero licenses could see another org's key as "License verified successfully" because getCurrentLicense fell back to a single instance-wide pointer (site_settings.license_key), and the unscoped POST /api/license/verify read from the same place. After this release, every license lookup in cloud mode is scoped to the calling organizationId.

getCurrentLicense: in cloud, returns null when the calling org has no license. No global pointer fallback, no auto-binding of orphan licenses.
verifyLicense: scoped to organizationId in cloud.
setLicenseKey / requestTrialLicense: stop writing the global pointer in cloud; persist organizationId on the trial record.
verifyOnStartup: no-op in cloud.

Self-hosted single-tenant behavior is unchanged — the site_settings.license_key mechanism still works for self-hosted installs.

Companion PR

anythingmcp#219 — the fix + 6 unit tests
anythingmcp#220 — version bump

Breaking Changes

`getCurrentLicense` in cloud mode now returns `null` when the calling organization has no license, removing global fallback to `site_settings.license_key`.
`verifyLicense`, `setLicenseKey`, and `requestTrialLicense` are scoped to `organizationId` in cloud mode and no longer write or read the global pointer.
`verifyOnStartup` is a no‑op in cloud mode.

Security Fixes

CVE-2025-XXXXX – Cross‑tenant license entitlement leak fixed by scoping all license lookups to `organizationId` in cloud mode.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track AnythingMCP

Get notified when new releases ship.

About AnythingMCP

All releases →