patch-tuesday-mcp
Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| MCP_HOST | No | Bind address for HTTP mode | 0.0.0.0 |
| MCP_PORT | No | Port for HTTP mode | 8000 |
| MCP_LOG_LEVEL | No | Root log level (DEBUG/INFO/WARNING/ERROR/CRITICAL) | WARNING |
| MCP_TRANSPORT | No | Transport mode: set to 'http' for remote serving | stdio |
| MCP_CORS_ORIGINS | No | Comma-separated allowlist of browser origins for CORS | * |
| MCP_MAX_BODY_BYTES | No | Max request body size, returns 413 above it (0 disables) | 262144 |
| MSRC_PROFILES_PATH | No | Path to a JSON file with custom product profiles (overrides built-in) | |
| MCP_LIMIT_CONCURRENCY | No | Max concurrent in-flight connections; uvicorn responds 503 beyond it (0 disables) | 40 |
| MCP_TIMEOUT_KEEP_ALIVE | No | Seconds before idle keep-alive connections are closed | 15 |
| MCP_MSRC_MAX_RESPONSE_BYTES | No | Cap on a single MSRC upstream response body | 67108864 |
| MCP_ENRICHMENT_MAX_RESPONSE_BYTES | No | Cap on a single EPSS/KEV upstream response body | 33554432 |
| APPLICATIONINSIGHTS_CONNECTION_STRING | No | Opt-in usage telemetry connection string |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tasks | {
"list": {},
"cancel": {},
"requests": {
"tools": {
"call": {}
},
"prompts": {
"get": {}
},
"resources": {
"read": {}
}
}
} |
| tools | {
"listChanged": true
} |
| prompts | {
"listChanged": false
} |
| resources | {
"subscribe": false,
"listChanged": false
} |
| experimental | {} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| msrc_searchA | Search Microsoft security updates (Patch Tuesday) from the official MSRC API. Combines keyword search, CVE/KB lookup, and product/severity/exploitation filtering into a single flexible tool. All filter parameters are optional and can be combined. When no filters are provided, returns the most urgent vulnerabilities from the most recent released Patch Tuesday (CISA-KEV- listed or exploited first, then by EPSS exploitation probability, severity, and CVSS score). The upcoming month's document exists before its Patch Tuesday but only holds early Chromium/third-party and out-of-band entries; it is skipped by default and served only when requested via month=. Results are enriched with EPSS scores (FIRST.org daily exploit prediction, 0-1) and CISA KEV (Known Exploited Vulnerabilities) catalog data when available. Use this tool to:
Args: query: Optional keyword; case-insensitive match across CVE ID, title, description, component tag, and affected product names. cve: Optional CVE ID (e.g. "CVE-2026-41108"). Fast path: ignores other filters and returns full detail for that single CVE, searching across all months automatically. kb: Optional KB article number (e.g. "5094123" or "KB5094123") or a list of up to 30 of them for a batched lookup. Fast path: returns the CVEs fixed by that KB, scanning the most recent months (up to 6), or only the given month when month= is also set. A list input returns a grouped response instead: a results array with one entry per KB ("kb", "found", and on success the same body as a single-KB lookup; on a miss "error"/"error_kind"), deduplicated, order preserved. limit/offset apply per KB; other filters are ignored. Accepts numeric KB ids only (any malformed list entry fails the whole call); kb_articles in results may also contain non-KB vendor-fix labels such as "Release Notes", which cannot be looked up here. month: Optional monthly release to search, formatted "2026-Apr" or "2026-04". Defaults to the most recent release whose Patch Tuesday (second Tuesday of the month) has already occurred; pass the upcoming month explicitly to see its pre-release entries. Combined with kb=, restricts the KB lookup to that month. product: Optional product name filter (case-insensitive partial match against affected product names, e.g. "Windows Server 2022"). product_profile: Optional named watchlist (e.g. "identity-core") that expands locally into product/family matchers. Built-in profiles can be overridden/extended via a JSON file at MSRC_PROFILES_PATH. An unknown name returns an invalid_input error listing the available profiles. Profile contents are matched locally and never sent to MSRC, FIRST.org, CISA, or telemetry. products: Optional list of product-name partial matchers. A vulnerability is kept if any entry matches one of its affected products. product_families: Optional list of product-family partial matchers. A vulnerability is kept if any entry matches one of its product families. Combined with products/product_profile as a union (match any listed product OR family). severity: Optional maximum-severity filter. Valid values: Critical, Important, Moderate, Low. exploited: Optional filter for vulnerabilities known to be exploited in the wild (True) or not (False), per Microsoft's assessment. publicly_disclosed: Optional filter for publicly disclosed vulnerabilities. kev: Optional filter for CVEs on (True) or off (False) the CISA Known Exploited Vulnerabilities catalog. ransomware: Optional filter for CVEs whose CISA KEV entry reports known ransomware campaign use (True) or not / not on KEV (False). exploitation_likely: Optional filter on Microsoft's latest-release exploitation assessment: True matches "Exploitation More Likely" or "Exploitation Detected"; False matches everything else (including unassessed entries). Matching results include an exploitation_assessment field. cwe: Optional weakness filter; case-insensitive substring match against CWE entries (e.g. "CWE-416" or "use after free"). Matching results include their cwe list. min_epss: Optional minimum EPSS score (0-1), the probability of exploitation in the next 30 days (e.g. 0.5 for >= 50%). min_cvss: Optional minimum CVSS base score (0-10). attack_vector: Optional CVSS attack-vector filter, one of N (network), A (adjacent), L (local), P (physical). Matches the parsed CVSS v3.x vector; entries without a parseable vector are excluded. privileges_required: Optional CVSS privileges-required filter, one of N (none), L (low), H (high). user_interaction: Optional CVSS user-interaction filter, one of N (none), R (required). scope: Optional CVSS scope filter, one of U (unchanged), C (changed). include_chain: When True together with kb=, adds a supersedence_chain showing which KBs this KB replaces (newest to oldest), walked from Microsoft-stated supersedence links. Ignored without kb=. include_guidance: When True together with cve=, adds a guidance list to the CVE detail output with any Microsoft-provided mitigations, workarounds, and will-not-fix advisories (type/description/url). Omitted by default to keep responses lean. Ignored without cve=. include_references: When True, adds deterministic reference links (MSRC, NVD, EPSS, and KEV when listed) to each result row in month/KB/trend lists. CVE detail lookups always include them. include_kb_details: When True, kb_articles entries become full objects (per-KB url, fixed_build, supersedence, sub_type, and restart_required) instead of bare KB numbers; on cve= lookups it additionally adds restart_required to each KB entry. include_kev_details: When True, KEV-listed rows carry the full KEV entry (due_date, ransomware_use, required_action, vendor_project, product, vulnerability_name) instead of a boolean flag; on cve= lookups it extends the kev block with the extra catalog fields. include_temporal: When True, cvss blocks gain the CVSS temporal score Microsoft publishes (exploit-code maturity adjusted). Applies to cve= detail and to list rows that carry a cvss block. list_months: When True, ignore other filters and return the catalog of available monthly releases (id, title, initial/current release dates, newest first) — useful for discovering valid month= values and spotting same-month revisions. format: Output format for a monthly/filtered search: "json" (default, most complete), "markdown", or "csv". "markdown" adds a prioritized triage briefing (executive summary + table) under a markdown key; "csv" adds a spreadsheet-ready table under a csv key plus a columns list. The JSON vulnerabilities list is always included. Ignored for cve=/kb= fast-path lookups. report: Optional report profile for format="markdown"/"csv". Currently only "triage" (the default rendering) is supported; reserved for future report shapes. force_refresh: When True, bypass the in-process caches for this request and re-fetch the MSRC document and EPSS/KEV enrichment from source. Use to pick up a same-day MSRC revision or fresh EPSS/KEV data. Only the data needed for this request is refreshed; unrelated cached months are left intact. include_freshness: When True (or when force_refresh is used), add a freshness block to the response reporting the cache age and TTL of the MSRC document and the EPSS/KEV enrichment data. months_back: Optional historical-trend control; search the N most recent released months (N >= 1) instead of a single month, aggregating matches with per-month counts. Mutually exclusive with start_month/end_month. Capped at 12 months per request. start_month: Optional start of a historical-trend range (e.g. "2026-Jan" or "2026-01"), inclusive. When end_month is omitted the range runs through the latest released month. Capped at 12 months. end_month: Optional end of a historical-trend range (inclusive); requires start_month (or months_back). Pre-release months are excluded. limit: Maximum number of results to return (default: 10, max: 100). Set to 0 with include_stats=True for a stats-only month overview. offset: Number of results to skip for pagination (default: 0). include_stats: When True, includes aggregate counts (by severity, impact, product family, exploited, KEV, publicly disclosed) for the filtered result set. Returns: Dictionary with: - month: Release ID (e.g. "2026-Jun") and title/release date - total_found: Number of vulnerabilities matching the filters - vulnerabilities: List of compact vulnerability summaries (up to limit) with epss_score and kev flag when available; full detail (epss_percentile, KEV due dates) returned for cve= lookups - filters_applied: Summary of which filters were used - stats: (only when include_stats=True) aggregate counts - supersedence_chain / chain_complete: (only for kb= lookups with include_chain=True) the walked chain, newest to oldest - total_kbs / results: (only when kb= is a list) grouped batch output; results holds one entry per KB with kb, found, and either the single-KB response body or a per-KB error/error_kind, while the top-level total_found sums across all KBs - guidance: (only for cve= lookups with include_guidance=True) list of mitigation/workaround/will-not-fix advisories, when Microsoft provides them - format / markdown / csv / columns: (only when format="markdown" or "csv") the chosen format plus the rendered triage view; csv also carries the stable column-name list - freshness: (only with include_freshness=True or force_refresh=True) cache age/TTL for the MSRC document and EPSS/KEV enrichment - range / months_searched / trend: (only for historical-trend searches via months_back or start_month/end_month) the resolved month range, the number of months searched, and per-month aggregate counts (total, by_severity, exploited, publicly_disclosed, kev) - available_months: (only with list_months=True) the release catalog, newest first - error / error_kind: (only on failure) a message plus a category (invalid_input, not_found, upstream, internal) - note: (when relevant) explains month selection, e.g. that a newer pre-Patch-Tuesday document was skipped, or (with release_status="pre-patch-tuesday") that the requested month has not had its Patch Tuesday yet |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
| monthly_triage | Guided monthly identity/security triage using msrc_search: zero-days, CISA KEV, exploited, network/no-auth/no-UI criticals, identity-adjacent products, endpoint/Intune, and a briefing. Optionally scope to a product watchlist via product_profile. |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
No resources | |
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/jonnybottles/patch-tuesday-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server