critical

@postman/postman-mcp-server

v2.7.0

A simple MCP server to operate on the Postman API

npmGitHub ActionsFirst seen Feb 22, 2026

46

Total

2

Critical

21

High

23

Medium

Findings

unknown

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    5:     GIT_BRANCH: z.string().default('main'),
    6: });
>>> 7: const parsedEnv = envSchema.safeParse(process.env);
    8: if (!parsedEnv.success) {
    9:     console.error('Invalid environment variables for Postman MCP server:', parsedEnv.error.format());

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    88: if (dotEnvOutput.error) {
    89:     if (dotEnvOutput.error.code !== 'ENOENT') {
>>> 90:         log('error', `Error loading .env file: ${dotEnvOutput.error}`);
    91:         process.exit(1);
    92:     }

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: u��b��-�g)�)쵩e

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��z��͵k��׷o��_��w

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��z��^�η巻�f��m�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��z��κk�yo~��~[�M�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: r��v�,��%��-��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: 䲖�z��?

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: r�^��)ݲ��g)

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: r�^��)ݲ��g)

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: r��zܢ��ܢw��?j��n��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: u��b��-�g)�)쵩e

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: r�^��)ݲ��g)

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: r�^��)ݲ��g)

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: r��zܢ��ܢw��?j��n��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: J�b�'��ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��Qz��I'��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��Qz��I'��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: J�b�'��ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��B�Y^rب��-

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��B�Y^rب��-

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��B�Y^rب��-

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��B�Y^rب��-

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    70:         };
    71:         const { headers: _ignored, ...optionsWithoutHeaders } = options;
>>> 72:         const response = await fetch(`${this.baseUrl}${endpoint}`, {
    73:             ...optionsWithoutHeaders,
    74:             headers,

Report false positive

mediumOB-001ObfuscationMedium ConfidenceLine 0

Possible Base64-encoded payload (long encoded string)

Detected by automated pattern matching (rule OB-001) with medium confidence. May be a false positive.

    93: ### Install in Cursor
    94: 
>>> 95: [![Install in Cursor](https://cursor.com/deeplink/mcp-install-dark.svg)](https://cursor.com/en/install-mcp?name=postman_mcp_server&config=eyJ1cmwiOiJodHRwczovL21jcC5wb3N0bWFuLmNvbS9taW5pbWFsIiwiaGVhZGVycyI6eyJBdXRob3JpemF0aW9uIjoiQmVhcmVyIFlPVVJfQVBJX0tFWSJ9fQ%3D%3D)
    96: 
    97: To install the remote Postman MCP Server in Cursor, click the install button.

Report false positive

mediumOB-001ObfuscationMedium ConfidenceLine 0

Possible Base64-encoded payload (long encoded string)

Detected by automated pattern matching (rule OB-001) with medium confidence. May be a false positive.

    442: ### Install in Cursor
    443: 
>>> 444: [![Install with Node in Cursor](https://cursor.com/deeplink/mcp-install-dark.svg)](https://cursor.com/en/install-mcp?name=postman-api-mcp&config=eyJjb21tYW5kIjoibnB4IiwiYXJncyI6WyJAcG9zdG1hbi9wb3N0bWFuLW1jcC1zZXJ2ZXIiLCItLWZ1bGwiXSwiZW52Ijp7IlBPU1RNQU5fQVBJX0tFWSI6IllPVVJfQVBJX0tFWSJ9fQ%3D%3D)
    445: 
    446: To install the local Postman MCP Server in Cursor, click the install button.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.5 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (5.0 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (5.0 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (5.3 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (5.3 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumNS-003Network SuspiciousMedium ConfidenceLine 0

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    327: \`\`\`javascript
    328: // If Postman request has examples for 200, 404, 401, and 422 responses:
>>> 329: const response = await fetch(url, options);
    330: 
    331: if (response.ok) {

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.8 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.8 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (5.0 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

Scan History

Date	Risk	Findings	Files	Duration
Feb 25, 2026	critical	46	134	0.00s
Feb 23, 2026	critical	46	134	0.00s
Feb 22, 2026	critical	46	134	0.00s