Network-AI
Repository
Release

v5.1.3 — MCP Authentication & Security Hardening

Published 2026-04-23 | Release notes

The MCP HTTP server (POST /mcp, GET /sse) previously had no authentication, allowing any network-reachable client to read and mutate live orchestrator state. This release fixes that.

Read the release here or open the original release on GitHub.
Open release on GitHub Open changelog Open quick start

Security (HIGH — CWE-306)

MCP HTTP Transport Authentication

The MCP HTTP server (POST /mcp, GET /sse) previously had no authentication, allowing any network-reachable client to read and mutate live orchestrator state. This release fixes that.

Changes:

  • McpSseServer now enforces Authorization: Bearer <secret> on POST /mcp and GET /sse when McpSseServerOptions.secret is set
  • Unauthenticated or wrong-token requests receive HTTP 401 with WWW-Authenticate: Bearer header
  • Default bind address changed **
Continue evaluating

Cross-check the release signals.

Use the changelog, benchmark notes, and security policy together to validate that the release story lines up with public maintenance discipline.

Changelog Benchmarks Security