Only the latest tagged release on main is supported. We do not backport
fixes to older tags. Self-hosted deployments should track main or the most
recent 25R2-* tag.
Please do not file public GitHub issues for security vulnerabilities.
Use GitHub's private vulnerability reporting:
- Go to https://github.com/hallboys/MCP4Acumatica/security/advisories/new
- Describe the issue, affected version/tag, and a proof-of-concept if available.
- We will acknowledge receipt within 5 business days and aim to provide a remediation timeline within 10 business days.
If GitHub Security Advisories is not an option, you may email
security@hallboys.com with the same information.
In scope:
- The Cloudflare Worker code in this repository
- The OAuth flow against Acumatica
- The admin console
- Token storage, redaction, rate-limiting, and role-gate logic
- The
setup.shandinstall.shinstall paths
Out of scope (report upstream):
- Vulnerabilities in Acumatica itself (report to Acumatica, Inc.)
- Vulnerabilities in Cloudflare Workers, KV, R2, or Durable Objects (report to Cloudflare)
- Vulnerabilities in MCP clients (Claude, ChatGPT, etc.)
- Issues that require a compromised Acumatica admin account or an attacker
with
MCP Accessrole privileges already granted
We follow coordinated disclosure. Once a fix is released, we will credit the reporter in the release notes unless you ask to remain anonymous.