rps321321/obsidian-mcp-pro

v1.9.0 Security

This release includes 6 security fixes for security teams reviewing exposed deployments.

Published 23d MCP Developer Tools

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 6 known CVEs

Affected surfaces

auth rce_ssrf deps

ReleasePort's take

Light signal

editorial:auto 13d

Bearer token leakage via process.argv has been redacted; HTTP DNS‑rebinding protection is now functional and several ReDoS issues have been mitigated.

Why it matters: Patch to v1.9.0 immediately because a bearer token was exposed in argv, DNS‑rebinding could bypass security controls, and multiple ReDoS flaws are fixed.

Summary

AI summary

HTTP DNS‑rebinding protection now works and ReDoS vulnerabilities in replace_in_note, .base filter parser, and YAML alias bomb are fixed.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Medium	Bearer token leaked via process.argv / ps, now redacted post-parse. Bearer token leaked via process.argv / ps, now redacted post-parse. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	HTTP DNS-rebinding protection was a no-op, now mutated in place. HTTP DNS-rebinding protection was a no-op, now mutated in place. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	YAML alias-bomb DoS in .base files prevented with JSON_SCHEMA and size cap. YAML alias-bomb DoS in .base files prevented with JSON_SCHEMA and size cap. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	ReDoS in replace_in_note fixed with flag allowlist and input caps. ReDoS in replace_in_note fixed with flag allowlist and input caps. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	ReDoS in .base filter parser fixed with bounded character classes. ReDoS in .base filter parser fixed with bounded character classes. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	install serverName guarded against control chars and ANSI escapes. install serverName guarded against control chars and ANSI escapes. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Windows drive-relative and UNC paths explicitly rejected. Windows drive-relative and UNC paths explicitly rejected. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	EACCES leak from assertRealPathWithinVault closed. EACCES leak from assertRealPathWithinVault closed. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	HTTP hardened: 415 on non-JSON POST, /version bearer-gated, handlers de-duplicated. HTTP hardened: 415 on non-JSON POST, /version bearer-gated, handlers de-duplicated. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature
Feature	Medium	All 13 documented Bases file.* properties wired through. All 13 documented Bases file.* properties wired through. Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Bases chained-method DSL added: file.name.contains(), .hasTag(), etc. Bases chained-method DSL added: file.name.contains(), .hasTag(), etc. Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Daily-note moment tokens added: A/a, W/WW/ww, gggg/gg, E/e, X/x. Daily-note moment tokens added: A/a, W/WW/ww, gggg/gg, E/e, X/x. Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	create_daily_note template substitution for {{date}}, {{time}}, {{title}}. create_daily_note template substitution for {{date}}, {{time}}, {{title}}. Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	add_canvas_node auto-stagger prevents nodes stacking at origin. add_canvas_node auto-stagger prevents nodes stacking at origin. Source: llm_adapter@2026-05-21 Confidence: low	—
Performance
Performance	Medium	find_broken_links now runs in parallel. find_broken_links now runs in parallel. Source: llm_adapter@2026-05-21 Confidence: low	—
Performance	Medium	Ollama provider probe no longer re-embeds chunk 0 on cold start. Ollama provider probe no longer re-embeds chunk 0 on cold start. Source: llm_adapter@2026-05-21 Confidence: low	—
Performance	Medium	get_vault_stats uses single-pass instead of double-scan. get_vault_stats uses single-pass instead of double-scan. Source: llm_adapter@2026-05-21 Confidence: low	—
Performance	Low	`index_vault` wrapped in vault‑level lock; correct per‑chunk count; embedding store limited to 256 MB snapshot. `index_vault` wrapped in vault‑level lock; correct per‑chunk count; embedding store limited to 256 MB snapshot. Source: granite4.1:30b@2026-05-24-audit Confidence: low	—
Bugfix
Bugfix	Medium	query_base silently dropped notes on read error. query_base silently dropped notes on read error. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Cache flush race dropped writes on shutdown. Cache flush race dropped writes on shutdown. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	delete_note elicitation gate widened to prevent silent skips. delete_note elicitation gate widened to prevent silent skips. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	HTTP shutdown no longer hangs on keep-alive or SSE connections. HTTP shutdown no longer hangs on keep-alive or SSE connections. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Tag-rename no longer adds blank line between frontmatter and body. Tag-rename no longer adds blank line between frontmatter and body. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	get_backlinks and get_outlinks thread alias map through resolution. get_backlinks and get_outlinks thread alias map through resolution. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	find_unused_attachments now reports correct reclaim total. find_unused_attachments now reports correct reclaim total. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	obsidian://daily throws on missing instead of returning synthetic content. obsidian://daily throws on missing instead of returning synthetic content. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Canvas tools enforce .canvas extension. Canvas tools enforce .canvas extension. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Frontmatter wikilinks now double-quoted for Properties editor compatibility. Frontmatter wikilinks now double-quoted for Properties editor compatibility. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	CommonMark closing-fence indentation corrected in section parser. CommonMark closing-fence indentation corrected in section parser. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	index_vault wrapped in vault-level lock for concurrent access. index_vault wrapped in vault-level lock for concurrent access. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	dayOfYear fixed for UTC and local time at year boundaries. dayOfYear fixed for UTC and local time at year boundaries. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	`dayOfYear` calculation fixed for UTC/local boundary cases. `dayOfYear` calculation fixed for UTC/local boundary cases. Source: granite4.1:30b@2026-05-24-audit Confidence: low	—

Full changelog

Large audit-fix wave: 44 real bugs fixed across 22 source files, 22 new regression test suites added (638 tests passing, 0 failures). Minor bump because the Bases parser learns the chained-method DSL Obsidian 1.9.2+ introduced (backward-compatible new feature, not a breaking change).

Added

Bases chained-method DSL (Obsidian 2026 spec): file.name.contains("x"), file.hasTag("x"), file.hasProperty("k"), file.inFolder("p"), file.linksTo("y"), plus generic .contains / .startsWith / .endsWith / .equals / .isEmpty / .isNotEmpty on any property chain. Legacy function-form and infix comparisons still work.
All 13 documented Bases file.* properties wired through: file.name, file.basename, file.path, file.folder, file.ext, file.tags, file.size, file.ctime, file.mtime, file.properties, file.links, file.embeds, file.backlinks.
Daily-note moment tokens: A/a, W/WW/ww, gggg/gg, E/e, X/x.
create_daily_note template substitution for {{date}}, {{date:FMT}}, {{title}}, {{time}}, {{time:FMT}}.
add_canvas_node auto-stagger so nodes added without explicit x/y no longer all stack at the origin.
22 new regression test suites.

Fixed - Security

HTTP DNS-rebinding protection was a no-op. allowedHosts was reassigned after the transport captured the empty original. Now mutated in place.
ReDoS in replace_in_note. Flag allowlist, 4096-char find cap, 1 MB input cap.
ReDoS in .base filter parser. Bounded character classes.
YAML alias-bomb DoS in .base files. JSON_SCHEMA plus 1 MB size cap.
Bearer token leaked via process.argv / ps. Now redacted post-parse.
install serverName guarded against control chars / ANSI escapes.
Windows drive-relative and UNC paths explicitly rejected.
EACCES leak from assertRealPathWithinVault closed.
delete_note elicitation gate widened so spec-compliant clients no longer silently skip the confirmation.
HTTP: 415 on non-JSON POST; /version non-GET gated on bearer; SIGINT/SIGTERM handlers de-duplicated.

Fixed - Data integrity

Cache flush race dropped writes on shutdown.
find_unused_attachments under-reported reclaim total when limit < unused.
query_base silently dropped notes on read error.
Tag-rename added a blank line between frontmatter and body on every run.
dayOfYear mixed UTC and local time at year boundaries in non-UTC zones.
Frontmatter wikilinks now double-quoted (Properties editor compatible).
CommonMark-correct closing-fence indentation in section parser.
find_broken_links is now parallel.
get_backlinks / get_outlinks thread the alias map through resolution.
Canvas tools enforce .canvas extension.
HTTP shutdown no longer hangs on keep-alive / SSE.
get_vault_stats single-pass instead of double-scan.
index_vault wrapped in a vault-level lock; correct per-chunk count; embedding-store has a 256 MB persisted-snapshot cap.
Ollama provider probe no longer re-embeds chunk 0 on cold start.
obsidian://daily throws on missing instead of returning synthetic content.

Notes

Two findings from the deep audit were verified false positives and pinned as schema-invariant tests so the claim can be re-evaluated against the test suite: rename_tag's Zod regex does correctly accept hierarchical names, and the rate-limiter's delete-instead-of-set branch is unreachable given the constructor's limit > 0 invariant.

Full changelog: https://github.com/rps321321/obsidian-mcp-pro/blob/master/CHANGELOG.md
npm: https://www.npmjs.com/package/obsidian-mcp-pro/v/1.9.0

Security Fixes

HTTP DNS‑rebinding protection was a no‑op; `allowedHosts` now mutated in place
ReDoS vulnerability fixed in `replace_in_note` (find cap 4096 chars, input cap 1 MB)
ReDoS vulnerability fixed in `.base` filter parser (bounded character classes)
YAML alias‑bomb DoS mitigated in `.base` files (JSON_SCHEMA validation + 1 MB size cap)
Bearer token leakage via `process.argv` / `ps` now redacted
Control characters/ANSI escapes guarded against in `install` `serverName`

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track rps321321/obsidian-mcp-pro

Get notified when new releases ship.

About rps321321/obsidian-mcp-pro

Feature-complete Obsidian vault MCP server with 23 tools and 3 resources. Full-text search, note CRUD, frontmatter queries, tag management, backlinks, graph traversal (BFS up to 5 hops), orphan/broken link detection, and canvas support. Auto-detects vault, path traversal protection, MIT licensed.

All releases →