This release includes 2 security fixes for security teams reviewing exposed deployments.
Topics
+14 more
Affected surfaces
Summary
AI summaryfix: escape HTML in OAuth callback responses to prevent XSS
Full changelog
What's Changed
- Improved Google API resource cleanup to ensure cycles are released after services close, including when some authentications fail by @taylorwilsdon and @azelcs in https://github.com/taylorwilsdon/google_workspace_mcp/pull/725
- fix: escape HTML in OAuth callback responses to prevent XSS by @joshjacobson in https://github.com/taylorwilsdon/google_workspace_mcp/pull/559
- Skip trashed messages in _fetch_thread_reply_context to prevent ghost drafts by @AaronHallAttorney in https://github.com/taylorwilsdon/google_workspace_mcp/pull/728
- feat: add WORKSPACE_MCP_ALLOWED_CLIENT_REDIRECT_URIS config by @andyroyle in https://github.com/taylorwilsdon/google_workspace_mcp/pull/726
- feat: gcs credential store by @taylorwilsdon in https://github.com/taylorwilsdon/google_workspace_mcp/pull/724
- single user mode fix by @taylorwilsdon in https://github.com/taylorwilsdon/google_workspace_mcp/pull/729
- Add update_tab_from_markdown tool and fix addDocumentTab response key by @juliandickie in https://github.com/taylorwilsdon/google_workspace_mcp/pull/727
- feat(gmail): add return_base64 option to get_gmail_attachment_content by @DannyOosterveer in https://github.com/taylorwilsdon/google_workspace_mcp/pull/723
- Fix OAuth callback server silently accepting foreign listener on callback port by @rpeck in https://github.com/taylorwilsdon/google_workspace_mcp/pull/719
- feat(sheets): add delete_sheet_rows and move_sheet_rows by @abedegno in https://github.com/taylorwilsdon/google_workspace_mcp/pull/730
- feat(gmail): add include_analysis flag to get_gmail_thread_content by @asreynolds1000 in https://github.com/taylorwilsdon/google_workspace_mcp/pull/702
As always, a huge thank you to our contributors!
New Contributors
- @joshjacobson made their first contribution in https://github.com/taylorwilsdon/google_workspace_mcp/pull/559
- @AaronHallAttorney made their first contribution in https://github.com/taylorwilsdon/google_workspace_mcp/pull/728
- @andyroyle made their first contribution in https://github.com/taylorwilsdon/google_workspace_mcp/pull/726
- @juliandickie made their first contribution in https://github.com/taylorwilsdon/google_workspace_mcp/pull/727
- @DannyOosterveer made their first contribution in https://github.com/taylorwilsdon/google_workspace_mcp/pull/723
- @rpeck made their first contribution in https://github.com/taylorwilsdon/google_workspace_mcp/pull/719
- @asreynolds1000 made their first contribution in https://github.com/taylorwilsdon/google_workspace_mcp/pull/702
Full Changelog: https://github.com/taylorwilsdon/google_workspace_mcp/compare/v1.20.0...v1.20.1
Security Fixes
- fix: escape HTML in OAuth callback responses — prevents XSS (CVE not provided)
- Fix OAuth callback server silently accepting foreign listener on callback port — mitigates unauthorized access risk (CVE not provided)
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About taylorwilsdon/google_workspace_mcp
Comprehensive Google Workspace MCP server with full support for Google Calendar, Drive, Gmail, and Docs, Forms, Chats, Slides and Sheets over stdio, Streamable HTTP and SSE transports.
Related context
Beta — feedback welcome: [email protected]