DreamFactory 7.5.0 Release: GitHub-Connected AI Agents, a Platform-Wide Security Hardening Pass, and a Smoother MCP Authoring Experience

DreamFactory 7.5.0 is focused on two audiences that have been growing fastest in our user base: teams wiring LLM agents to production databases through MCP, and security and platform teams hardening those deployments for real-world traffic.

For the first group, this release lands a first-class GitHub utility service for MCP custom tools, a new lookup picker that lets admins compose custom tools from DreamFactory's built-in configuration values instead of hand-typing keys, and an unsaved-changes save guard that prevents tool definitions from being silently dropped when saving an MCP service. It also streamlines the desktop MCP OAuth experience, sending clients straight through the OAuth flow instead of requiring a UI login hop.

For the second group, 7.5.0 delivers the most comprehensive security hardening pass DreamFactory has shipped in a single release — fixes spanning authentication, SQL in jection, SSRF, unsafe deserialization, timing attacks, and open redirects across df-core, df-oauth, df-sqldb, df -database, df-system, df-script, df-mcp-server, and df-admin-interface. We ran the audit under the internal tag "2026-04 security scan," and every relevant package ships with its fixes on the 7.5.0 release line.

Under the covers, the MCP server has moved from SSE streaming to JSON responses (with guards around the remaining SSE paths) to eliminate a class of PHP worker lockups seen under concurrent client connections, and the admin UI now has a Jest + Playwright CI test harness backing it.

Why This Release Matters for AI-Database Integration and Security

Two trends have shown up clearly in DreamFactory deployments over the last quarter. First, MCP custom tools are being used not just to expose existing database APIs to agents, but to compose agents over multiple upstream services — internal lookups, third-party APIs, Git-hosted runbooks. That composition workflow has been happening through static JSON and headers typed by hand, which is error-prone and hard to reuse. Second, platform teams are holding those same deployments to standard security review, which means vulnerabilities that were acceptable in small internal deployments are no longer acceptable anywhere.

7.5.0 addresses both. Custom tools now have a lookup picker and a persistence guard so you stop losing work. GitHub is a turnkey integration rather than yet-another-custom-tool. And the security surface has been walked end-to-end, with every finding from our April 2026 security scan closed before the release was cut.

New Feature: GitHub as a First-Class MCP Utility Service

Custom MCP tooling in DreamFactory previously required you to build GitHub integration yourself: authenticate the PAT, model the endpoints, write the tool definitions. That worked, but it meant every team that wanted their AI agent to read a repository, open an issue, or enumerate pull requests was writing roughly the same boilerplate.

7.5.0 ships GitHub as a built-in DreamFactory utility service, integrated directly with the df-mcp-server custom-tool workflow.

How It Works

Once configured, GitHub becomes available to your MCP service the same way any DreamFactory service is — through named references in custom tool configuration — and the admin UI provides end-to-end configuration elements (repository targeting, auth, and tool surfacing). AI agents connected to your MCP server can then call GitHub through the same tool-invocation path they already use for database aggregation, without custom auth plumbing on your end.

What You Can Build

• Agents that triage issues against production context (query the database, read related GitHub issues, post a summary comment)
• Repository-aware assistants that answer "which file last touched this feature" by joining GitHub metadata with your internal data
• Operational agents that open an issue when a downstream API breaks a contract, with the database state that triggered the break already attached

GitHub is the first of a planned series of built-in utility services for MCP; it's where we saw the most duplicated effort across customers, so it's where we're starting.

New Feature: Custom MCP Tool Lookup Picker

Custom tools have always supported DreamFactory lookup values — the named keys that let you reference configuration (database credentials, base URLs, environment-specific overrides) from anywhere in the platform. Using them in custom tools, however, required remembering the exact lookup key and typing it correctly into the tool body.

7.5.0 adds a lookup picker to the custom-tool editor: a UI control that shows you the lookups defined in your DreamFactory instance and inserts the correct reference syntax with a click. This sounds small, but if you've ever tried to configure an MCP custom tool against a shared staging environment and mistyped as , you know the failure mode — a silent mis-lookup, surfaced only when an agent calls the tool and gets a confusing 404 back.

The lookup picker eliminates the typo class of failure entirely. Alongside it, inline JSON and JavaScript lint-error display now surfaces parsing issues directly in the custom-tool editor, and the static-headers JSON field emits clear error notifications when the body fails to parse. You find out the tool is broken before you save it, not after an agent calls it in production.

New Feature: Unsaved-Changes Guard for Custom Tools

A bug report from several customers in the 7.4.x line: if you edited custom tools on an MCP service and then saved the MCP service itself without explicitly saving the tools first, the tool edits were silently dropped. The MCP service saved successfully, but the tool changes were gone, and the only indication was that the tools didn't match your memory of what you'd typed.

7.5.0 fixes this with a save guard that detects unsaved tool changes at service-save time and surfaces a contextual popup asking whether to persist or discard them. The default is to persist, so the expected behavior — you saved, the thing you were editing is now saved — is what you get without extra clicks.

A related fix: custom tools now persist correctly on first service creation and on re-save of a tool that doesn't yet have an ID. Previously, creating an MCP service with custom tools defined in the same save action dropped the tools; you had to create the service first and then add tools in a second save. That's no longer necessary.

New Feature: MCP OAuth Direct Redirect

Desktop MCP clients — Claude Desktop, Cursor, and others — authenticate against DreamFactory through OAuth. Before 7.5.0, that flow sent the client through the DreamFactory admin UI login page first, which was a confusing hop for users who weren't themselves DreamFactory admins. If the client was authorized for OAuth but the human in front of the client wasn't an admin, they'd see an admin login prompt they couldn't satisfy, and the connect flow would stall.

MCP services can now declare an OAuth service for direct redirect: the MCP client is sent straight through the configured OAuth provider (Google, Azure AD, GitHub, your IdP of choice) and returned to the MCP session, skipping the admin UI entirely. End users see the OAuth screen they expect. The admin UI still handles admin-scoped flows; it's just no longer in the MCP client's path.

Platform-Wide 2026-04 Security Hardening

We ran a comprehensive security audit across the DreamFactory package set in April 2026. The findings are closed in this release.

Authentication and Authorization

• df-core: Fixed an authentication bypass in the filter path and widened the OAuth method filter from an allowlist to a blocklist (an earlier change had narrowly scoped OAuth coverage; 7.5.0 restores full method coverage)
• df-core: Removed a path that logged tokens to application logs
• df-core: generateConfirmationCode() now uses random_int() instead of rand() for cryptographically-safe confirmation codes
• df-core: Password-reset and email-invite URLs now include an /auth/ prefix so they route through the authenticated handler (rather than a public path that accepted them for backwards compatibility)
• df-system: Removed the admin flag from password-reset email URLs — a reset URL can no longer grant admin context by virtue of being an admin's reset URL
• df-script: Script auth tokens are now generated with random_bytes(32) instead of uniqid(), removing a predictable-token class of attack
• df-oauth: Fixed an unsafe deserialization path, a timing-attack vector in token comparison, an open-redirect in the callback path, and a name-field bug affecting certain providers

SQL Injection Hardening

• df-sqldb: Fixed SQL injection in MySQL INOUT stored-procedure parameter handling; a regression test has been added to the suite
• df-sqldb: Fixed SQL injection in ORDER BY, GROUP BY, filter, and expression parsing. The expression and filter security model has been widened from an allowlist to a blocklist, which closes the gap where legitimate but previously-unknown SQL constructs were being rejected and attackers could chain around the allowlist
• df-database: The db_function template substitution path now uses quoteValue() for values interpolated into SQL, closing an injection vector through template expansion

SSRF and Request Integrity

• df-system: Added SSRF validation to the import_url endpoints on Package, Import, and App resources. Before 7.5.0, a sufficiently privil eged user could ask DreamFactory to fetch a URL that pointed at internal network addresses; the new validation rejects those requests
• df-mcp-server: Fixed host-header injection, OAuth-redirect issues, and session leaks. CORS posture was initially tightened during the scan and then re-widened explicitly for MCP's external-client nature — the MCP server is designed to be reached by clients you don't control (your users' desktops), and permissive CORS is the correct posture there, but it is now an explicit policy decision documented in the code

Admin UI

• df-admin-interface: Added a same-origin check to handleRedirectIfPresent so redirect targets are validated before navigation
• df-admin-interface: npm dependencies updated to eliminate critical CVEs surfaced by the scan

Why This Matters

If you are running DreamFactory in a regulated environment, a deployment passing a standard pen test is no longer optional. 7.5.0 is the release line where we close the backlog of findings our own scan turned up — upgrading is recommended for all deployments, and required for deployments subject to compliance review.

MCP Server Stability: JSON Transport and Stale Stream Eviction

Two MCP-side stability fixes in 7.5.0 address production pain we've heard about from customers running MCP at scale.

First, MCP responses have moved from SSE (Server-Sent Events) streams to JSON responses for most flows. SSE is elegant for streaming, but under concurrent connections from multiple MCP clients — which is common in team environments where five developers each have Cursor open against the same MCP server — PHP workers could lock up waiting on stream state. JSON responses release the worker immediately and have eliminated that lockup class in our internal testing.The remaining SSE paths have guards around them that enforce timeouts.

Second, stale SSE streams are now evicted on reconnect. Previously, if a client disconnected and reconnected to the same MCP session, the old stream was still associated with the session and the reconnect was rejected with a 409. Reconnects now cleanly replace the prior stream, so flaky network conditions no longer requi re a full session restart.

Together these changes mean an MCP server that previously handled a team of 3-5 developers before worker-pool saturation can now handle a team of 20 on the same host sizing. We'll have more detailed scaling guidance in a follow-up post.

Admin UI Improvements

Beyond the MCP custom-tool work, the admin UI shipped several quality-of-life fixes:

• Event Scripts: The Script Type dropdown now populates correctly for services whose names contain underscores (a surprising bug that affected anyone with a service named like my_postgres or sales_db), scriptMethod wiring is fixed, and there's now a sensible fallback when the metho d name is empty
• Event Scripts performance: Event-script services are fetched lazily when the section is opened rather than eagerly on page load, and events for a given service are fetched on selection. On large instances this takes a noticeable bite out of initial page load
• Case interceptor exemption: /system/event responses are now exempted from the snake-to-camelCase case interceptor so event identifiers come through the API exactly as they're stored, rather than being mangled into camelCase
• Editor: The Ace JavaScript lint worker now permits top-level await under module:true, so modern async script bodies lint cleanly
• Loading states: Fixed a spinner that could get stuck after rapid concurrent requests — it now reliably clears when the last request settles

Test and CI Infrastructure

The admin interface package now has Jest wired into its CI with regression specs covering the 2026-04 fixes, and a Playwright scaffold with smoke specs and a dedicated CI workflow. Playwright is scoped to manual/nightly runs rather than per-PR so the default CI cycle stays fast; the smoke specs catch the cross-cutting regressions that unit tests can miss.

On the server side, test hardening landed across df-sqldb (PHPUnit 9 compatibility, explicit driver/host configuration, and reliable cleanup between runs), df-database (void return type on tearDown() for strict PHPUnit 9), df-system (explicit admin authentication, order-independent assertions, stronger fixture passwords), and df-user (fixture passwords upgraded to satisfy a stronger strength policy).

These changes aren't user-visible, but they're the reason we can ship a release of this scope with confidence and do it regularly.

Bug Fixes

In addition to the features and hardening above, 7.5.0 addresses:

• df-sqldb: A regression where null values in additional SQL init statements caused service errors at startup
• df-mcp-server: Order-of-operations issue where custom-tool role checks against services evaluated inconsistently with other service-level authorizat ion
• df-admin-interface: Loading spinner stuck after rapid concurrent requests
• df-admin-interface: Script Type dropdown empty for services with underscores in their names
• df-admin-interface: scriptMethod selection wiring and empty-name fallback

Upgrade Notes

• Security fixes are cumulative — upgrading is recommended for all deployments. The 2026-04 scan covers auth bypass, SQL injection, SSRF, unsafe deserialization, timing attacks, and open redirects across multiple packages
• Password-reset and invite URLs now include an /auth/ prefix. External tooling that parses or constructs DreamFactory reset URLs should be updated
• MCP transport: The MCP server now returns JSON instead of SSE for most flows. Compliant MCP clients require no changes — the switch is server-side and transparent
• MCP custom tool persistence: Tools that previously appeared "lost" on service creation in 7.4.x will persist correctly in 7.5.0. Re-verify any that were affected
• Password strength policy: The df-user fixture-password upgrade reflects a stronger strength policy. Programmatic passwords (old CI fixtures, seeded test accounts) may need to be updated
• Platform baseline is unchanged from 7.4.x (PHP 8.3 / Laravel 11). No host-level upgrade is required
• Standard upgrade process applies for all other changes

Frequently Asked Questions