taylorwilsdon/google_workspace_mcp

v1.21.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 4d MCP SaaS Integrations

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

ai g-suite gmail google-calendar google-chat google-docs

+14 more

google-drive google-forms google-sheets google-tasks google-workspace gsuite llm llm-tools mcp mcp-server model-context-protocol model-context-protocol-server model-context-protocol-servers workspace

Affected surfaces

auth

Summary

AI summary

Auto‑open OAuth browser, embed Gmail images inline, and convert Office uploads to Google formats on Drive.

Changes in this release

Type	Severity	Summary	CVE
Security	High	Hardens host‑binding protections for legacy OAuth mode. Hardens host‑binding protections for legacy OAuth mode. Source: llm_adapter@2026-05-30 Confidence: high	—
Feature
Feature	Medium	Auto‑open browser for OAuth with `login_hint` support. Auto‑open browser for OAuth with `login_hint` support. Source: llm_adapter@2026-05-30 Confidence: high	—
Feature	Medium	Gmail now supports inline image attachments via `content_id`. Gmail now supports inline image attachments via `content_id`. Source: llm_adapter@2026-05-30 Confidence: high	—
Feature	Medium	Drive automatically converts Office uploads to native Google Slides and Sheets. Drive automatically converts Office uploads to native Google Slides and Sheets. Source: llm_adapter@2026-05-30 Confidence: high	—
Feature	Medium	Logging honors `WORKSPACE_MCP_LOG_DIR` environment variable for output directory. Logging honors `WORKSPACE_MCP_LOG_DIR` environment variable for output directory. Source: llm_adapter@2026-05-30 Confidence: high	—
Dependency	Low	Bumped idna from version 3.11 to 3.15 in the uv group. Bumped idna from version 3.11 to 3.15 in the uv group. Source: llm_adapter@2026-05-30 Confidence: high	—
Bugfix
Bugfix	Medium	Slides `get_page` and `get_presentation` now extract text from grouped shapes. Slides `get_page` and `get_presentation` now extract text from grouped shapes. Source: llm_adapter@2026-05-30 Confidence: high	—
Bugfix	Medium	Calendar `get_events` now includes creator and organizer fields. Calendar `get_events` now includes creator and organizer fields. Source: llm_adapter@2026-05-30 Confidence: high	—
Bugfix	Medium	Calendar event edits use `.patch()` instead of `.update()` to avoid HTTP 400 errors on Meet events. Calendar event edits use `.patch()` instead of `.update()` to avoid HTTP 400 errors on Meet events. Source: llm_adapter@2026-05-30 Confidence: high	—
Bugfix	Medium	Attachments normalize Unicode whitespace in saved filenames. Attachments normalize Unicode whitespace in saved filenames. Source: llm_adapter@2026-05-30 Confidence: high	—

Full changelog

Release v1.21.1

This release sharpens the OAuth login experience, hardens host binding in legacy auth mode, and brings a batch of fixes and quality-of-life improvements across Gmail, Calendar, Slides, and Drive. A warm welcome to the six new contributors who landed their first changes here.

New Features

Auto-open browser for OAuth, with login_hint support — the sign-in flow now launches your browser automatically and can pre-fill the account, making first-run setup noticeably smoother. Thanks to @usiegj00 (#556).
Gmail: inline image attachments — embed images directly in message bodies using the content_id key. Thanks to @luoxin9510 (#763).
Drive: Office → Google conversion on upload — import_to_google_slides and import_to_google_sheets now convert Office files into native Google formats as they're uploaded. Thanks to @szhygulin (#822).
Logging: honor WORKSPACE_MCP_LOG_DIR — point file logging at a directory of your choosing via the new environment variable. Thanks to @acato (#814).

Fixes

Slides: extract text from grouped shapes — get_page and get_presentation now read text inside grouped shapes instead of skipping it. Thanks to @bryanelliot (#785).
Calendar: include creator and organizer in get_events — detailed event output now surfaces who created and organizes each event (closes #797). Thanks to @justadityaraj (#799).
Calendar: use .patch() instead of .update() for event edits — resolves the HTTP 400 returned when modifying Google Meet events. Thanks to @pgcath (#801).
Attachments: normalize Unicode whitespace in saved filenames — handles cases like the macOS narrow no-break space (U+202F) so saved files get clean, predictable names. Thanks to @drewgillson (#817).
Issue #809 addressed by @taylorwilsdon (#823).
Issues #712 and #810 addressed by @taylorwilsdon (#824).

Hardening

Stronger host-binding protections for legacy OAuth mode — tightens how the server binds when running in the legacy auth path. Thanks to @taylorwilsdon (#804).

Maintenance

Add .dockerignore to keep build contexts lean. Thanks to @taylorwilsdon (#796).
Bump idna from 3.11 to 3.15 in the uv group. Thanks to @dependabot[bot] (#802).

New Contributors

As always, huge thanks to our contributors!

@bryanelliot made their first contribution in #785
@justadityaraj made their first contribution in #799
@pgcath made their first contribution in #801
@luoxin9510 made their first contribution in #763
@szhygulin made their first contribution in #822
@acato made their first contribution in #814

Full Changelog: https://github.com/taylorwilsdon/google_workspace_mcp/compare/v1.21.0...v1.21.1

Security Fixes

Stronger host‑binding protections for legacy OAuth mode — hardens auth path against binding attacks

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track taylorwilsdon/google_workspace_mcp

Get notified when new releases ship.

About taylorwilsdon/google_workspace_mcp

Comprehensive Google Workspace MCP server with full support for Google Calendar, Drive, Gmail, and Docs, Forms, Chats, Slides and Sheets over stdio, Streamable HTTP and SSE transports.

All releases →