Skip to content

olgasafonova/productplan-mcp-server

v5.1.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 1mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

anthropic claude go mcp mcp-server model-context-protocol
+4 more
okr product-management productplan roadmap

Affected surfaces

auth rbac

Summary

AI summary

manage_* tools now correctly annotated as Destructive and path‑injection hardening across API endpoints closes HG-3 violations.

Full changelog

Security

  • manage_* tools now correctly annotated as Destructive. Twelve write tools (manage_lane, manage_milestone, manage_bar, manage_bar_connection, manage_bar_link, manage_objective, manage_key_result, manage_idea, manage_opportunity, manage_launch, manage_launch_section, manage_launch_task) all support action=delete with documented cascade-delete behavior, but none carried DestructiveHint=true. MCP clients that gate user-confirmation on this hint will now prompt before manage_* deletions and updates. Closes HG-3 violation.
  • IdempotentHint=true no longer blanket-set on manage_*. The previous annotation was a lie: action=create twice produces two records; action=delete twice 404s on the second call. Retry-aware MCP clients that trust the hint could silently duplicate writes on network blips. Annotation now omitted from manage_* tools so clients treat them as non-idempotent (safe default).
  • Path-injection hardening across 40+ API endpoint methods. Every method that interpolated user-supplied IDs into URL paths now validates against ^[A-Za-z0-9_-]+$ and url.PathEscape-s before concatenation. Before: a prompt-injected agent could send bar_id="../../strategy/objectives/SECRET" and the request silently pivoted to a different resource via upstream proxy normalising .. segments. Now: invalid IDs rejected at the validator with bar_id contains invalid characters before any HTTP call. Real ProductPlan IDs (alphanumeric tokens, optionally with -/_) all match the regex; no legitimate workflow regresses.

These three fixes close violations of patterns graduated 2026-04-25 (HG-3 destructive annotations + path-injection class). Validators in pkg/productplan/validation.go were previously dead code — now wired in via a new safeSeg helper at the API client boundary. Found by an autonomous-vulnerability-research sweep across the MCP portfolio.

What's Changed

  • fix(ci): remove release: published trigger from mcp-registry.yml by @olgasafonova in https://github.com/olgasafonova/productplan-mcp-server/pull/27
  • security: HG-3 destructive annotation + path-injection fixes (Carlini portfolio sweep) by @olgasafonova in https://github.com/olgasafonova/productplan-mcp-server/pull/29

Full Changelog: https://github.com/olgasafonova/productplan-mcp-server/compare/v5.0.1...v5.1.0

Security Fixes

  • `manage_*` tools now correctly annotated as Destructive (DestructiveHint=true) and IdempotentHint removed; path‑injection validation added to 40+ API endpoints, closing HG-3 violations.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track olgasafonova/productplan-mcp-server

Get notified when new releases ship.

Sign up free

About olgasafonova/productplan-mcp-server

Query ProductPlan roadmaps. Access OKRs, ideas, launches, and timeline data.

All releases →

Related context

Beta — feedback welcome: [email protected]