v0.22.0
v0.22.0
This release bundles three months of community contributions with a coordinated security hardening pass across the attachment, transport, SSRF-validation, filtering, and OAuth layers.
π Security
A security audit (37 advisories, consolidated into root-cause families) was resolved in this release. Advisories are being published with "fixed in 0.22.0" β highlights:
- Attachment & content-file path confinement β
upload_attachment/download_attachment(Jira & Confluence) and the newcontent_filepage input now validate every caller-supplied path against the workspace viavalidate_safe_path, closing arbitrary file read/exfiltration and an intra-CWD overwrite RCE variant. Note: paths passed to these tools must now resolve inside the server's working directory. (GHSA-wm45-qh3g-v83f, GHSA-vc25-24vv-fxxm, GHSA-93xw-j965-9mx3, GHSA-6cr4-ccf3-x7h4, GHSA-f4p7-qx46-wc5j, GHSA-f6pj-qv47-g96w, GHSA-2xj6-xx86-cwwc, GHSA-mrq8-fv7v-hhjg, GHSA-wv8v-v4c5-v75j, GHSA-p6hp-93wp-fh6p, GHSA-h7wj-5v37-59r2, GHSA-mfv2-4wvm-9pgp, GHSA-f26r-j276-ggg4, GHSA-g5r6-gv6m-f5jv, GHSA-6vmq-24h2-pj7j) - HTTP transport authentication (critical) β unauthenticated streamable-http requests no longer fall back to the operator's global credentials; the fallback is now opt-in via
ALLOW_GLOBAL_CRED_FALLBACK(default off), and unauthenticated requests are rejected with 401 at the transport boundary. (GHSA-wrhw-j3f9-8vc6, GHSA-vc8m-84rp-53hx, GHSA-cc5h-2pwp-pvcc) - SSRF hardening β redirect validation now covers every client session and auth branch, backslash authority-confusion URLs are rejected, and a DNS-pinning transport adapter resolves each host exactly once (validate β connect on the same address), eliminating the DNS-rebinding TOCTOU against the CVE-2026-27826 fix. Hosts from your configured
JIRA_URL/CONFLUENCE_URLandMCP_ALLOWED_URL_DOMAINSare exempt from the non-global-address rejection, so on-prem DC instances on private networks keep working; caller-supplied URLs (multi-user HTTP headers) remain fully guarded. (GHSA-6529-c226-h328, GHSA-hgcf-4mq8-5266, GHSA-v9m3-wfh8-5646, GHSA-5wf4-jqxh-8gm3, GHSA-49xv-9743-pw8w, GHSA-72fm-whvq-jghf, GHSA-489g-7rxv-6c8q, GHSA-6rrj-86cw-gg9j) - Tool authorization enforcement β tools hidden by
ENABLED_TOOLS/ toolset / read-only mode can no longer be invoked by name; authorization is enforced at dispatch, not just listing. (GHSA-3r68-hf9h-887v) - Project/space filter boundary β
JIRA_PROJECTS_FILTER/CONFLUENCE_SPACES_FILTERare now a hard boundary: always ANDed into queries (callers can narrow but never widen), covering search and board issues. Sprint IDs are validated numeric to prevent JQL injection. (GHSA-w66g-j6c4-hcfc, GHSA-rqwg-9346-fjjv) - OAuth token file permissions β fallback token files are written owner-only (0600, dir 0700). (GHSA-g5xv-mhgm-v5f6, GHSA-76pr-5669-3xf5, GHSA-4596-2p6p-28cv)
- Reflected XSS β the OAuth callback page HTML-escapes its output. (GHSA-g2r2-3j32-j27x)
Each fix ships with permanent regression tests. Thanks to everyone who reported β including overlapping public reports from @failsafesecurity and @rober15.
β¨ Features
Jira
- Dedicated
assign_issuetool (#1152) andsearch_assignable_usersfor free-form user lookup (#1358) jira_move_issuefor cross-project moves (#1273) andmove_issues_to_backlog(#1333)jira_search_projectsusing the projects picker API (#1247)update_versiontool (#1349)get_issuegains anincludeparam for inline enrichments (#1125)- Issue type and field discovery tools (#1123)
- ADF/markdown: panel nodes (#1219), task lists
- [ ]β taskList (#1280),[~accountid:UUID]mentions (#1307), display-name mentions (#1228) account_idexposed in simplified user profiles (#1347)
Confluence
- Inline comment tools with Server/DC v1 payload fix (#1264)
confluence_update_page_sectionfor lossless partial page updates (#1141)content_fileinput for create/update page (#1275)content_base64input forupload_attachmentβ upload from in-memory content when the server can't read host file paths (#1366)- Content and space permission checking tools (#1320)
get_pageresolves Confluence tiny links and page URLs (#1222)- Table layout, page width, page restrictions, and copy-page support (#1178)
Server/Transport
- Opt-in HTTP hardening: urllib3 retries with Retry-After respect, outbound rate limit, process-wide concurrency cap, circuit breaker, and pagination clamp β all disabled by default, tunable via env (#1310)
π Fixed
Jira
update_issue: null values clear fields (#1140); loud failure when assignee can't be resolved (#1380); tolerate default comment fields (#1334)- Pagination:
get_worklogsreturns all entries (#1223); newest comments first when limiting (#1218) 'me'identifier inget_user_profile(#1120); sub-task name match preference (#1331);versionfield allowed in issue field selection (#1227)- Version creation uses correct API per deployment (#1339; #1350)
- Markdown: full table block parsing (#1379); no intraword-underscore italics (#1361)
- Embedded media preserved on Cloud description updates (#1224); case-sensitive dev-status applicationType (#1153); simplified
get_all_projectsoutput (#1291)
Confluence
- DC/Server attachment upload completed β XSRF header, POST method, versioning fallback (#1253); upload API errors surfaced (#1441)
- Cloud attachment URLs:
/wikiprefix on upload/delete (#1386); v1 REST endpoint for downloads (#1369) - Page tree position sort normalization (#1352); v2 API for page children (#1304); history in
get_page_contentexpand (#1117) - User mentions:
ri:userkey/ri:usernamehandling (#1298); bare-filename img tags become attachment macros (#1176)
Server/Transport & Auth
- Require a FastMCP version with event-store support (#1351)
- Per-user OAuthConfig guarded against BYO global config (#1364)
- Explicit User-Agent on Jira/Confluence sessions (#1326)
- Auth token redacted in unsupported-Authorization logs (#1160)
- Jira Server/DC string response handling + xhtml content format (#1231)
Full Changelog: v0.21.1...v0.22.0