We take security seriously. If you discover a security vulnerability, please:
- DO NOT open a public issue
- DO report it via GitHub Security Advisories: Report a vulnerability
- OR email details to the maintainer (check commit history for email)
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We're actively working on fixing these security vulnerabilities:
| Issue | Status | Priority |
|---|---|---|
| No authentication on MCP server | 🔧 In Progress | CRITICAL |
| Path traversal in file operations | 📋 Planned | CRITICAL |
| Missing input validation | 📋 Planned | HIGH |
| Insecure session management | 📋 Planned | HIGH |
See our security issues for details.
Until security improvements are complete:
- Only use on trusted networks (localhost only)
- Don't expose the MCP port to the internet
- Monitor vault access for unexpected changes
- Keep backups of your vault
- Review plugin permissions in Obsidian
{
"httpEnabled": true,
"httpPort": 3001, // Change from default
"autoDetectPortConflicts": true,
"debugLogging": false // Disable in production
}- API key authentication
- Path validation framework
- Input sanitization
- Rate limiting
- Audit logging
- Encrypted sessions
Thanks to security researchers who responsibly disclose vulnerabilities.