Critical-risk tools in Redmine MCP OAuth Server
9 of the 45 tools in Redmine MCP OAuth Server are classified as critical risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at critical risk
-
delete_groupDestructiveDelete a Redmine group. confirm must be true.
-
delete_issueDestructiveDelete a Redmine issue. confirm must be true.
-
delete_issue_relationDestructiveDelete a Redmine issue relation. confirm must be true.
-
delete_membershipDestructiveRemove a user from a Redmine project. confirm must be true.
-
delete_projectDestructiveDelete a Redmine project. confirm must be true.
-
delete_time_entryDestructiveDelete a Redmine time entry. confirm must be true.
-
delete_userDestructiveDelete a Redmine user (requires admin). confirm must be true.
-
delete_versionDestructiveDelete a Redmine version. confirm must be true.
-
remove_issue_watcherDestructiveRemove a watcher from a Redmine issue.
Attacks that target this class
Critical-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.