Skip to content

Pantheon-Security/notebooklm-mcp-secure

v2026.3.0 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 1mo MCP Security & Auth
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 3 known CVEs

Topics

ai automation browser-automation claude google llm
+5 more
mcp model-context-protocol notebooklm research typescript

Affected surfaces

auth rce_ssrf

Summary

AI summary

Auth bypass closed, webhook SSRF blocked, audit log hash‑chain verified on read, and MCP protocol compliance fully restored.

Full changelog

The Security Audit Release

We commissioned a parallel deep-audit of v2026.2.11 using four specialised AI code reviewers, each independently focused on a different attack surface: security vulnerabilities, MCP protocol correctness, architecture quality, and testing gaps and edge cases. Operating independently so their findings wouldn't influence each other, they produced a 334-item master issue list across four severity tiers.

This release resolves every high and medium issue on that list.

By the Numbers

| Metric | Before | After |
|--------|--------|-------|
| Tests | 139 | 609 across 50 files |
| TypeScript errors | 0 | 0 (maintained) |
| npm audit vulnerabilities | 0 | 0 (maintained) |
| MCP protocol compliance | Partial | Full |
| Audit log integrity | Basic | Hash-chain verified on read |
| Concurrent write safety | ❌ | ✅ Write-locked |
| Webhook SSRF | ❌ | ✅ Blocked |
| Auth bypass vectors | 1 (forceAuth) | 0 |

Security Fixes

  • Auth bypass closedvalidateToken() forceAuth path allowed unauthenticated calls to filesystem tools (add_folder, cleanup_data, export_library). Fixed with forceValidation flag.
  • Auth token salt persisted — token hash salt now survives server restart; tokens no longer invalidated on every restart
  • Webhook SSRF — delivery targets validated against SSRF blocklist; HMAC signing covers all delivery attempts
  • Webhook delivery persistence — failed deliveries retried with exponential backoff; results persisted across restarts
  • Audit log hash chain verified on read — tampered entries now detected and rejected
  • Concurrent audit write lock — interleaved JSONL entries under concurrent tool calls eliminated
  • Hash chain continuity across log rotation — anchor preserved on daily boundary rotation
  • Per-page mutex — concurrent tool calls on the same browser page serialised to eliminate race conditions
  • Login cancellation resilience — auth flow handles user cancelling the Google login dialog without corrupting state

MCP Protocol Compliance

  • Response shape — all 48 tools return correct structuredContent/isError shapes; error responses use isError: true; transport tags stripped before delivery; server sends notifications/cancelled on shutdown
  • Annotation correctnessreadOnlyHint, idempotentHint, destructiveHint accurate for all 48 tools
  • Schema bounds — all numeric/string parameters have explicit min/max constraints (no more out-of-range inputs accepted)

Architecture

  • 3,611-line handlers.ts decomposed into 9 domain modules with HandlerContext dependency injection — all domain functions now unit-testable without process-level mocks
  • Tool registryMap<string, ToolHandler> replaces 500-line switch/case; O(1) dispatch
  • Notebook creator split into dedicated src/notebook-creation/ module with typed domain errors

Test Coverage — 50 New Test Suites

Key new suites: browser-session, shared-context-manager, prompt-injection (40+ patterns), audit-logger (hash chain, tampering, rotation), mcp-auth, webhook-dispatcher, dsar-handler, compliance, notebook-library, settings-manager, cleanup-manager, file-permissions

Security-critical module coverage: mcp-auth.ts 75.7%, webhook-dispatcher.ts 71.4%, data-erasure.ts 72.0%

Selector & Browser Reliability

  • Notebook name selector no longer matches search inputs (inSearch() exclusion)
  • Text source flow validates the target textarea before typing; skips search/web-context textareas
  • Video tile detection locale-independent; Studio panel selector resilient to class renames

Claims Aligned with Implementation

  • Certificate pinning retracted — pinning implementation was removed in the audit; NLMCP_CERT_PINNING env var removed; all documentation updated
  • PQ encryption scope — README and architecture diagram now consistent with SECURITY.md ("local at-rest, not Harvest-Now-Decrypt-Later")
  • Compliance language — uses "compliance-ready architecture (controls implemented)" throughout; does not imply formal SOC2 Type II report, GDPR registration, or CSSF submission

Install

claude mcp add notebooklm -- npx @pan-sec/notebooklm-mcp@latest

Full documentation: SECURITY.mdCHANGELOG.md

Breaking Changes

  • Removed `NLMCP_CERT_PINNING` environment variable and associated certificate‑pinning implementation.

Security Fixes

  • Auth bypass closed — `validateToken()` no longer allows unauthenticated calls to filesystem tools via the `forceAuth` path; enforced with `forceValidation` flag.
  • Webhook SSRF blocked — delivery targets now validated against an SSRF blocklist and all deliveries HMAC‑signed.
  • Audit log hash chain verified on read — tampered entries are detected and rejected, preserving continuity across daily rotations.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Pantheon-Security/notebooklm-mcp-secure

Get notified when new releases ship.

Sign up free

About Pantheon-Security/notebooklm-mcp-secure

Security-hardened NotebookLM MCP with post-quantum encryption (ML-KEM-768), GDPR/SOC2/CSSF compliance, and 14 security layers. Query Google's Gemini-grounded research from Claude and AI agents.

All releases →

Related context

Beta — feedback welcome: [email protected]