This release includes 2 security fixes for security teams reviewing exposed deployments.
Topics
+5 more
Affected surfaces
Summary
AI summaryMCP authentication is now enabled by default, requiring explicit opt‑out via NLMCP_AUTH_DISABLED=true.
Full changelog
v2026.2.10 — The Hardening Release
17 Security Layers | 168 Tests | 9 Domain Modules | Secure-by-Default
The biggest security and architecture update since launch. Three new security layers, a complete handler architecture overhaul, and the most secure MCP server default configuration in the ecosystem.
What's New
🔒 3 New Security Layers (14 → 17)
| Layer | What it does |
|-------|-------------|
| Secure-by-Default Auth | MCP authentication is now ON by default — zero configuration needed. Explicit opt-out via NLMCP_AUTH_DISABLED=true required to disable. No more accidentally running without auth. |
| Exponential Backoff Lockout | Failed auth attempts now trigger escalating lockouts: 5min → 15min → 45min → 4hr cap. Brute-force attacks become exponentially expensive. Lockout state persists across lockout resets. |
| Credential Isolation | Login passwords and API keys are wrapped in SecureCredential with 30-minute TTL auto-wipe. Original values are scrubbed from process.env immediately after reading. Memory dump attacks have a 30-minute window instead of forever. |
🏗️ Architecture Overhaul — Handler Split
The monolithic 3,611-line handlers.ts has been split into 9 domain modules:
src/tools/handlers/
├── ask-question.ts — Core Q&A
├── session-management.ts — Session lifecycle
├── auth.ts — Google auth flows
├── notebook-management.ts — Library CRUD
├── notebook-creation.ts — Create/batch/sync/sources
├── system.ts — Quota, cleanup, project info
├── audio-video.ts — Audio/video/data table
├── webhooks.ts — Webhook management
├── gemini.ts — Deep research, documents
├── types.ts — HandlerContext interface
└── index.ts — Facade class
The 500-line switch/case in index.ts was replaced with a tool registry Map — built once at startup, O(1) dispatch for all 48 tools.
🛡️ Filesystem Tool Gating
add_folder, cleanup_data, and export_library now require authentication even when auth is globally disabled. These tools can modify the filesystem and must never be callable without a valid token.
🔑 Token Management CLI
Lost your token? No problem:
npx notebooklm-mcp token show # Check token status
npx notebooklm-mcp token rotate # Generate new token (invalidates old)
First-run token display now shows copy-pasteable commands with your actual token value.
🐳 Multi-Stage Docker Build
New 2-stage Dockerfile keeps dev dependencies out of production images. ~40-60% smaller image size. New .dockerignore prevents test files, docs, and secrets from leaking into builds.
⚡ Reliability Improvements
- Gemini API retry: Exponential backoff on 429/500/502/503 errors (3 retries, won't retry on 400/401/403/404)
- Configurable response timeout:
NLMCP_RESPONSE_TIMEOUT_MS(default: 120s) - File permission audit trail: Permission failures now logged + audited instead of silently swallowed
- Locale-agnostic selectors: Removed hardcoded German-locale browser selectors
🧪 Testing
- 57 new tests covering security utilities, config parsing, range clamping, and browser options
- 168 total tests passing across 6 test files
- Tests now run in CI pipeline (
npm teststep added)
New Environment Variables
| Variable | Default | Description |
|----------|---------|-------------|
| NLMCP_AUTH_DISABLED | false | Explicitly disable MCP auth (not recommended) |
| NLMCP_RESPONSE_TIMEOUT_MS | 120000 | NotebookLM response timeout |
| NLMCP_FOLLOW_UP_REMINDER | (built-in) | Custom follow-up reminder text |
| NLMCP_FOLLOW_UP_ENABLED | true | Enable/disable follow-up reminder |
Breaking Changes
- Auth is now enabled by default. If you were running without
NLMCP_AUTH_ENABLED=true, the server will auto-generate a token on first run. SetNLMCP_AUTH_DISABLED=trueif you explicitly want no auth (not recommended). CONFIG.loginPasswordis now blanked. Code that readsCONFIG.loginPassworddirectly will get an empty string. UsegetSecureLoginPassword()instead.
Security Audit
This release was validated by a 4-agent security review team:
- The Skeptic — Edge case and failure mode analysis
- The Sentinel — Red-team security audit with exploit chain analysis
- The Architect — Architecture and design review
- The Librarian — Code quality and style compliance
Two critical vulnerabilities were found and fixed during review:
forceAuthbypass when auth was globally disabled (any token accepted)- Plaintext credentials persisting in CONFIG despite SecureCredential wrapping
Full Changelog: https://github.com/Pantheon-Security/notebooklm-mcp-secure/compare/v2026.2.9...v2026.2.10
Breaking Changes
- Auth is now enabled by default; servers will generate a token on first run unless `NLMCP_AUTH_DISABLED=true` is explicitly set.
- `CONFIG.loginPassword` now returns an empty string; use `getSecureLoginPassword()` instead.
Security Fixes
- CVE-2026-XXXXX – Fixed `forceAuth` bypass that allowed any token when auth was globally disabled.
- CVE-2026-XXXXX – Prevented plaintext credentials from persisting in CONFIG despite SecureCredential wrapping.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About Pantheon-Security/notebooklm-mcp-secure
Security-hardened NotebookLM MCP with post-quantum encryption (ML-KEM-768), GDPR/SOC2/CSSF compliance, and 14 security layers. Query Google's Gemini-grounded research from Claude and AI agents.
Related context
Beta — feedback welcome: [email protected]