If you discover a security vulnerability in coolify-mcp, please do not open a public issue.

Instead, email the maintainers directly. You should receive a response within 48 hours.

When reporting, include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Optionally: suggested fix

• coolify-mcp uses Bearer token authentication (Authorization: Bearer {key})
• The API key is passed via the COOLIFY_API_KEY environment variable
• Never log API keys — all logging redacts sensitive values
• Never commit API keys to version control

coolify-mcp exposes mutating tools (create_application_*, set_env, bulk_set_envs, trigger_deploy). These tools:

• Require explicit human approval before execution (via the MCP protocol)
• Should be scoped to specific project/application permissions in Coolify
• Are not safe to expose to untrusted users without Coolify API key protection

• Accidental production deployments: mitigated by requiring human approval
• Secret exposure: mitigated by marking secrets with isSecret: true (not logged)
• Port conflicts: detection logic warns about common misconfigurations
• Resource exhaustion: users must set memoryLimit and cpuLimit explicitly

Run npm audit before each release to check for known vulnerabilities in dependencies.