Skip to main content

MCP server for Microsoft Patch Tuesday security updates (MSRC Security Update Guide)

Project description

Disclaimer: This is an independent, self-built project and is not an official Microsoft tool or service.

Patch Tuesday MCP Server

mcp-name: io.github.jonnybottles/patch-tuesday

Ask your AI assistant about Microsoft security updates. This Python-based MCP (Model Context Protocol) server connects AI assistants like Claude to the MSRC Security Update Guide — the authoritative source for every CVE Microsoft patches — enabling natural-language queries over Patch Tuesday releases: CVEs, KB articles, severity ratings, CVSS scores, affected products, and exploited-in-the-wild status.

What It Does

Patch Tuesday MCP Server bridges Microsoft's official CVRF security update API and your AI assistant, allowing you to:

  • Get the monthly rollup - "What did this month's Patch Tuesday fix?"
  • Find what's actively exploited - "Which vulnerabilities are being exploited in the wild?"
  • Look up any CVE - "Tell me about CVE-2026-41108" (KBs, affected products, CVSS, description)
  • Map KBs to CVEs - "Which vulnerabilities does KB5094123 fix?"
  • Filter by product - "What Critical CVEs affect Windows Server 2022 this month?"
  • Track zero-days - "Were any publicly disclosed vulnerabilities patched in April?"
  • See what's confirmed exploited - "Which of this month's CVEs are on the CISA KEV list?" — with federal remediation due dates
  • Rank by exploitation probability - "Show me CVEs with EPSS above 50%" — daily FIRST.org exploit prediction scores
  • Avoid stale patches - "Is KB5087538 superseded by anything newer?" — walks Microsoft's supersedence links
  • Prioritize patching - Results are sorted most-urgent-first: KEV/exploited, then EPSS, then severity, then CVSS

Perfect for security analysts, sysadmins, and IT professionals who triage Microsoft security updates every month — without clicking through the Security Update Guide portal.

Data comes from the official, public MSRC CVRF v3 API. No authentication or API key required.

Why This Server?

This is the only MCP server that models the Patch Tuesday release itself. Plenty of MCP servers can look up a CVE — general-purpose vulnerability aggregators fan a known CVE ID out across NVD, OSV, and threat-intel feeds. They answer "tell me about CVE-X". But they have no concept of a monthly Microsoft release, a KB article, or a product family — so they structurally cannot answer the questions a Microsoft shop actually asks on the second Tuesday of every month:

The question you actually have Generic CVE lookup servers patch-tuesday-mcp
"Summarize this month's Patch Tuesday" ❌ no concept of a release ✅ rollup + stats in one call
"What Critical CVEs affect Windows Server 2022 this month?" ❌ can't filter by Microsoft product ✅ product & family filtering
"Which vulnerabilities does KB5094123 fix?" ❌ no KB awareness ✅ KB ↔ CVE mapping
"What's being exploited in the wild right now?" ⚠️ per-CVE only, if you already know the CVE ✅ filter the whole month
"What do I patch first?" ✅ urgency-sorted: exploited/KEV → EPSS → severity → CVSS
"Tell me about CVE-X" ✅ (often with more ecosystem data) ✅ MSRC detail: KBs, builds, supersedence

Under the hood, the difference is the data source: this server parses the full MSRC CVRF monthly documents — the ProductTree, per-product severity threats, exploitability assessments, and KB remediation chains that per-CVE APIs never expose. That's what makes release-centric questions possible.

Other things it deliberately gets right:

  • Zero API keys, zero accounts — the MSRC API is public; setup is one uvx command
  • One tool, not thirty — a single consolidated msrc_search keeps your AI client's context lean and tool selection reliable
  • Built for the monthly workflow — triage a release, brief your team, prioritize patching, then get on with your life

Roadmap

  • Cross-month keyword search

Possible future add-on: inferred supersedence graph

Microsoft's Supercedence field is sparse — it's often missing for older KBs and many cumulative updates. Filling those gaps requires heuristic inference (e.g., "a newer cumulative update for the same product implicitly supersedes the older one"), which in turn means correctly classifying update types (cumulative vs. security-only vs. servicing-stack) across Microsoft's inconsistent product naming, ideally backed by a precomputed KB graph rebuilt monthly after each Patch Tuesday. This is deliberately not implemented today: wrongly marking a patch as superseded would cause someone to skip a patch they actually need, and that failure mode is worse than an incomplete chain. If it lands, inferred links will be explicitly labeled ("inferred": true) and kept separate from Microsoft-stated ones. If you'd use this, please open an issue — demand is what will prioritize it.

Requirements

General

  • Python 3.11+
  • An MCP-compatible client (Claude Desktop, Cursor, Claude Code, GitHub Copilot CLI, etc.)

Using uvx (Recommended)

If you are installing or running the server via uvx, you must have uv installed first.

Install uv:

# macOS / Linux
curl -LsSf https://astral.sh/uv/install.sh | sh

# Windows (PowerShell)
irm https://astral.sh/uv/install.ps1 | iex

uvx allows you to run the MCP server without installing the package globally.

Using pip (Alternative)

pip install patch-tuesday-mcp

Installation

Install from PyPI

uvx patch-tuesday-mcp

Or install with pip:

pip install patch-tuesday-mcp

Upgrade to Latest Version

uvx patch-tuesday-mcp@latest

Or with pip:

pip install --upgrade patch-tuesday-mcp

Quick Setup

Set up in VS Code Set up in Cursor Set up in Claude Code Set up in Copilot CLI

One-click setup: Click the VS Code badge for automatic configuration (requires uv installed) Manual setup: See instructions below for Cursor, Claude Code, Copilot CLI, or Claude Desktop

Features

  • msrc_search – Search and filter Microsoft security updates by keyword, CVE, KB number, month, product, severity, CVSS score, exploited-in-the-wild status, or public disclosure. When no month is given, results default to the most recent release whose Patch Tuesday has already occurred — the upcoming month's pre-release document (early Chromium/out-of-band entries only) is skipped by default and available explicitly via month=. Results are enriched with EPSS scores (FIRST.org 30-day exploitation probability, min_epss=0.5 filter) and CISA KEV catalog status with federal remediation due dates (kev=True filter) — both public, keyless sources. Add include_chain=True to a KB lookup to walk Microsoft-stated supersedence chains (which KBs it replaces, newest → oldest). Set include_stats=True for aggregate counts (by severity, impact, product family, exploited, KEV). Use limit=0 with include_stats=True for a stats-only month overview.

Prompt Examples

Once connected to an MCP client, you can ask questions like:

  1. Monthly overview: "Summarize this month's Patch Tuesday"
  2. Exploited vulnerabilities: "Which Microsoft vulnerabilities are being actively exploited?"
  3. CVE lookup: "What is CVE-2026-41108 and which KB fixes it?"
  4. KB lookup: "What does KB5094123 patch?"
  5. Product filter: "Show me Critical vulnerabilities affecting Exchange Server this month"
  6. Patch prioritization: "What should I patch first from the June 2026 updates?"
  7. CISA KEV: "Which of this month's CVEs are on the CISA KEV list?"
  8. EPSS: "Show me CVEs with EPSS above 50%"
  9. Supersedence: "Is KB5087538 superseded by anything newer?"

Usage

Run the MCP Server

uvx patch-tuesday-mcp

Or if installed with pip:

patch-tuesday-mcp

Connect from Claude Desktop

Add to your Claude Desktop MCP config:

  • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
  • Windows: %APPDATA%\Claude\claude_desktop_config.json

Using uvx (recommended)

{
  "mcpServers": {
    "patch-tuesday": {
      "command": "uvx",
      "args": ["patch-tuesday-mcp"]
    }
  }
}

Using installed package

{
  "mcpServers": {
    "patch-tuesday": {
      "command": "patch-tuesday-mcp"
    }
  }
}

Connect from Cursor

Option 1: One-Click Install (Recommended)

cursor://anysphere.cursor-deeplink/mcp/install?name=patch-tuesday-mcp&config=eyJjb21tYW5kIjogInV2eCIsICJhcmdzIjogWyJwYXRjaC10dWVzZGF5LW1jcCJdfQ==

Option 2: Manual Configuration

Add to your Cursor MCP config (~/.cursor/mcp.json):

{
  "mcpServers": {
    "patch-tuesday": {
      "command": "uvx",
      "args": ["patch-tuesday-mcp"]
    }
  }
}

Connect from Claude Code

claude mcp add --transport stdio patch-tuesday -- uvx patch-tuesday-mcp

Connect from GitHub Copilot CLI

Add to ~/.copilot/mcp-config.json:

{
  "mcpServers": {
    "patch-tuesday": {
      "type": "stdio",
      "command": "uvx",
      "args": ["patch-tuesday-mcp"]
    }
  }
}

Self-Hosting as a Remote MCP Server

The server also supports the HTTP transport for remote/shared deployments:

MCP_TRANSPORT=http MCP_PORT=8000 patch-tuesday-mcp
# MCP endpoint: http://localhost:8000/mcp

Or with Docker:

docker build -t patch-tuesday-mcp .
docker run -p 8000:8000 patch-tuesday-mcp

HTTP-mode environment variables:

Variable Default Description
MCP_TRANSPORT stdio Set to http for remote serving
MCP_HOST / MCP_PORT 0.0.0.0 / 8000 Bind address
RATE_LIMIT_RPM 60 Per-IP requests/minute (0 disables)
MCP_MAX_BODY_BYTES 262144 Max request body size, returns 413 above it (0 disables)
APPLICATIONINSIGHTS_CONNECTION_STRING unset Opt-in usage telemetry (requires pip install patch-tuesday-mcp[telemetry])

HTTP mode also serves GET /health (liveness endpoint, exempt from rate limiting) and runs stateless, so it can scale to multiple replicas behind a load balancer without session affinity.

See docs/deploy-azure.md for a full Azure Container Apps deployment guide.

Privacy

Local stdio usage (the default) sends no telemetry — ever. Telemetry only exists for self-hosted HTTP deployments, is off unless the operator sets their own Application Insights connection string, and never stores raw client IPs (they are hashed with a daily salt for unique-user counts).

Development

pip install -e ".[dev]"
pytest
ruff check src/ tests/

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

patch_tuesday_mcp-0.3.1.tar.gz (60.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

patch_tuesday_mcp-0.3.1-py3-none-any.whl (32.8 kB view details)

Uploaded Python 3

File details

Details for the file patch_tuesday_mcp-0.3.1.tar.gz.

File metadata

  • Download URL: patch_tuesday_mcp-0.3.1.tar.gz
  • Upload date:
  • Size: 60.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for patch_tuesday_mcp-0.3.1.tar.gz
Algorithm Hash digest
SHA256 5780e9f20d4e2a0e4f8d223506afbca1c22b273cb3b057218b981fa0e96b0681
MD5 f73e735c450065b6d23e0b64852cfb40
BLAKE2b-256 95994b61f600465b9ef26b135f3aeb7d51a2a85b0931e4d1ac4cf629e25f39a5

See more details on using hashes here.

Provenance

The following attestation bundles were made for patch_tuesday_mcp-0.3.1.tar.gz:

Publisher: publish.yml on jonnybottles/patch-tuesday-mcp

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file patch_tuesday_mcp-0.3.1-py3-none-any.whl.

File metadata

File hashes

Hashes for patch_tuesday_mcp-0.3.1-py3-none-any.whl
Algorithm Hash digest
SHA256 7ec2d5c5c300538cb6f5d695cfbfd2ccee82add7b861f5f816e1ed2f8bab935c
MD5 48a70e035f7accc259894feccef0ff6a
BLAKE2b-256 0bf00778527c70a1ce3d4517a95610cfdc638ee9b79b246ee17be14518c7dbf7

See more details on using hashes here.

Provenance

The following attestation bundles were made for patch_tuesday_mcp-0.3.1-py3-none-any.whl:

Publisher: publish.yml on jonnybottles/patch-tuesday-mcp

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page