We actively support the following versions of ProxmoxMCP with security updates:
| Version | Supported |
|---|---|
| 1.x.x | β |
| < 1.0 | β |
We take the security of ProxmoxMCP seriously. If you discover a security vulnerability, please report it responsibly.
π For security vulnerabilities, please do NOT create a public GitHub issue.
Instead, please:
- Use GitHub Security Advisories: Go to the Security tab and click "Report a vulnerability"
- Email: Send details to the project maintainers at [INSERT_EMAIL]
- Use our Security Issue Template: If you must use issues, use the Security Vulnerability template
Please include the following information:
- Description: Clear description of the vulnerability
- Impact: Potential impact and affected components
- Steps to Reproduce: Detailed reproduction steps
- Environment: ProxmoxMCP version, Proxmox version, deployment method
- Suggested Fix: Any proposed solutions (if available)
- Initial Response: Within 48 hours
- Assessment: Within 1 week
- Fix Development: Based on severity (Critical: 1-7 days, High: 1-2 weeks, Medium: 2-4 weeks)
- Public Disclosure: After fix is released and users have time to update
When using ProxmoxMCP, please follow these security guidelines:
- β Use dedicated API tokens (never root password)
- β
Enable SSL/TLS verification (
verify_ssl: true) - β Use least-privilege API tokens
- β Rotate API tokens regularly
- β Don't store tokens in plaintext
- β Don't commit tokens to version control
- β Run in containerized environments when possible
- β Use non-root users in containers
- β Keep dependencies updated
- β Monitor logs for suspicious activity
- β Don't expose unnecessary ports
- β Don't run as root in production
- β Use secure networks for Proxmox communication
- β Implement network segmentation
- β Use VPNs for remote access
- β Don't expose Proxmox API to the internet
- β Don't use unencrypted connections
- Command Execution: VM commands are executed via QEMU Guest Agent
- API Access: Requires Proxmox API token with appropriate permissions
- Network Access: Needs network access to Proxmox server
- Configuration: Sensitive data in configuration files should be protected
Security updates will be:
- Released as patch versions (e.g., 1.0.1)
- Documented in release notes with CVE numbers when applicable
- Announced via GitHub Releases and Security Advisories
We appreciate responsible disclosure and will acknowledge security researchers who report vulnerabilities to us (unless they prefer to remain anonymous).
Last Updated: January 30, 2025 Next Review: June 30, 2025