Is com.postman/postman-mcp-server safe to use?

com.postman/postman-mcp-server has 1 known CVE tracked by MCPpedia. You can verify these on OSV.dev by searching for "@postman/postman-mcp-server". Review the Security section above for details before installing.

How do I install com.postman/postman-mcp-server?

com.postman/postman-mcp-server supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.

What AI clients work with com.postman/postman-mcp-server?

com.postman/postman-mcp-server is compatible with Claude Desktop, Cursor, Claude Code, and most MCP clients that support stdio transport. It uses stdio and sse and http transport.

Is com.postman/postman-mcp-server actively maintained?

com.postman/postman-mcp-server is actively maintained — last commit was 4 days ago. It has 209 GitHub stars.

com.postman/postman-mcp-server

A basic MCP server to operate on the Postman API.

ActiveNot tested

Other

★ 209↓ 2.9k/wknpm GitHub

611 CVEsactive

Quick Install

{
  "mcpServers": {
    "postman-code": {
      "env": {},
      "args": [
        "mcp-remote",
        "https://mcp.postman.com/code"
      ],
      "disabled": false,
      "disabledTools": []
    },
    "postman-full": {
      "env": {},
      "args": [
        "mcp-remote",
        "https://mcp.postman.com/mcp"
      ],
      "disabled": false,
      "disabledTools": []
    },
    "postman-minimal": {
      "env": {},
      "args": [
        "mcp-remote",
        "https://mcp.postman.com/minimal"
      ],
      "disabled": false,
      "disabledTools": []
    }
  }
}

Setup guide

Should you use this server?

A basic MCP server to operate on the Postman API.

✗

Is it safe?

1 open CVE. Verify on OSV.dev →

No authentication — any process on your machine can connect.

License not specified.

✓

Is it maintained?

Last commit 4 days ago. 209 stars. 2,921 weekly downloads.

Will it work with my client?

Transport: stdio, sse, http. Works with Claude Desktop, Cursor, Claude Code, and most MCP clients.

Test This Server

Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.

npx -y '@postman/postman-mcp-server' 2>&1 | head -1 && echo "✓ Server started successfully"

After testing, let us know if it worked:

Score Breakdown

MCPpedia Score

Click each category to see evidence

61B

Last scored 4h ago

How we score →

Security

20/30

1 open vulnerability.

✗

Known CVEs — 1 open CVE(s): 0 critical/high, 0 medium, 0 lowcheck OSV.dev

○

Tool safety — No tools to analyze

○

Tool poisoning — No tools to analyze

○

Injection vectors — No tools to analyze

✓

Tool stability — Tool definitions stable

Help improve this page

This server is missing a description. Tools and install config are also missing.If you've used it, help the community.

Add information

○

Dependency health — found on deps.dev, recently updated

✗

License — No license specified

○

Authentication — No authentication required

○

Repository — active repo

Advisories (1 open, 0 fixed)

infoMAL-2025-190909Open

Malicious code in @postman/postman-mcp-server (npm)

--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (c7c276129c0d99cb4f8aa63e9f3911b1f38145837396ac3b00ba48533a6050b8) The package @postman/postman-mcp-server was found to contain malicious code. ## Source: google-open-source-security (0c419e14201055a516cc9ef8dfe3f0ecc29ae793e9b304eeb4da6589465ab1d4) This package was compromised by the Sha1-Hulud: The Second Coming NPM worm. The malicious payload steals tokens and credentials and publishes them to GitHub. T

Published Nov 24, 2025source \u2192

CVEs checked daily via OSV.dev. Score algorithm is open source.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/com-postman-postman-mcp-server)](https://mcppedia.org/s/com-postman-postman-mcp-server)

Reviews

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is com.postman/postman-mcp-server safe to use?: com.postman/postman-mcp-server has 1 known CVE tracked by MCPpedia. You can verify these on OSV.dev by searching for "@postman/postman-mcp-server". Review the Security section above for details before installing.
How do I install com.postman/postman-mcp-server?: com.postman/postman-mcp-server supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.
What AI clients work with com.postman/postman-mcp-server?: com.postman/postman-mcp-server is compatible with Claude Desktop, Cursor, Claude Code, and most MCP clients that support stdio transport. It uses stdio and sse and http transport.
Is com.postman/postman-mcp-server actively maintained?: com.postman/postman-mcp-server is actively maintained — last commit was 4 days ago. It has 209 GitHub stars.

MCP Security Weekly

Get CVE alerts and security updates for com.postman/postman-mcp-server and similar servers.

Discussion

Start a conversation

Ask a question, share a tip, or report an issue.

Has anyone used this with Cursor?How do you handle auth?Any alternatives?