| Version | Supported |
|---|---|
| 1.x | Yes |
| < 1.0 | No |
If you discover a security vulnerability in pbi-cli, please report it responsibly.
Do not open a public issue.
Instead, email security@pbi-cli.dev or use GitHub private vulnerability reporting.
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 1 week
- Fix release: As soon as possible, depending on severity
pbi-cli connects to local Power BI instances via MCP (Model Context Protocol) over stdio. Key security notes:
- No network exposure: The MCP server binary communicates over local stdio pipes, not network sockets
- No credentials stored: Connection details are saved locally but passwords and tokens are never persisted
- Local binary execution: pbi-cli launches
PBIDesktopMCPServer.exeas a subprocess; ensure the binary is from a trusted source - Config file permissions: Connection store at
~/.pbi-cli/connections.jsonshould have user-only read/write permissions