We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| 0.7.x | ❌ |
| < 0.7 | ❌ |
We take the security of MCP-FreeCAD seriously. If you discover a security vulnerability, please follow these steps:
- DO NOT open a public GitHub issue for security vulnerabilities
- Email security concerns to: info@cryptolinx.de
- Include the following information:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Suggested fix (if you have one)
- Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours
- Assessment: We will assess the vulnerability and determine its impact and severity
- Timeline: We aim to provide an initial response within 7 days
- Updates: We will keep you informed about the progress of fixing the vulnerability
- Credit: If you wish, we will acknowledge your responsible disclosure in the fix release notes
- The security team will investigate and validate the report
- A fix will be developed and tested
- A security advisory will be published (if applicable)
- A patch release will be created and published
- The vulnerability details will be disclosed publicly after the patch is available
When using MCP-FreeCAD, we recommend:
- Never commit API keys or credentials to the repository
- Store API keys in environment variables or secure configuration files
- Use the encrypted configuration options when available
- Keep
api_keys.jsonand similar files in.gitignore
- Use HTTPS/TLS for all network connections when possible
- Validate server certificates when connecting to external services
- Be cautious when connecting to unknown FreeCAD instances
- Use firewall rules to restrict access to FreeCAD server ports
- Be aware that FreeCAD scripts can execute arbitrary code
- Review generated scripts before execution in production environments
- Use sandboxed environments when testing untrusted code
- Keep FreeCAD and dependencies up to date
- Use official Docker images or build from trusted sources
- Don't run containers as root when possible
- Keep Docker and container images up to date
- Use Docker secrets for sensitive configuration
MCP-FreeCAD can execute Python scripts in FreeCAD. While this is a core feature, users should:
- Only use trusted tool providers
- Review generated scripts in sensitive environments
- Understand that scripts have full access to FreeCAD's capabilities
When using AI providers (Claude, OpenAI, Google, OpenRouter):
- API keys should be stored securely
- Be aware of data sent to third-party APIs
- Review AI provider terms of service and privacy policies
- Consider using self-hosted models for sensitive projects
The server opens network connections for:
- FreeCAD communication (configurable port)
- AI provider APIs (HTTPS)
- MCP protocol communication
Ensure these connections are properly secured in your environment.
We follow a coordinated vulnerability disclosure process:
- Security researchers report vulnerabilities privately
- We work to fix the vulnerability
- A security advisory is prepared
- The fix is released
- The vulnerability is publicly disclosed with credit to the researcher
We kindly ask researchers to:
- Allow reasonable time for us to fix the vulnerability before public disclosure
- Make a good faith effort to avoid privacy violations, data destruction, and service interruption
- Not exploit the vulnerability beyond what is necessary to demonstrate it
For security issues: info@cryptolinx.de
For general support: GitHub Issues
We appreciate the security research community's efforts in responsibly disclosing vulnerabilities and helping us keep MCP-FreeCAD secure.