Drupal MCP 1.1 Released: Security, HTTP Support & Roadmap Update

Giorgi Jibladze, CTO and Partner at Omedia, published an update on the progress of the Drupal MCP (Model Connection Protocol) module. The post outlines the current state of the module, improvements made in version 1.1, and the direction of future development.

Omedia began development of the MCP module just two days after Anthropic released the initial MCP specification, positioning Drupal as one of the first content management systems to support the standard. At its core, the module is designed to allow Drupal to function as an MCP server, connecting external large language models (LLMs) to Drupal in a structured and standards-compliant way.

The latest version, MCP 1.1, focuses on security and integration. Following a security review by Marcus Johansson, the module now includes permission checks, refined access controls, and improvements to authenticated access. Token authentication has been updated to let administrators assign specific user accounts, addressing previous limitations where the system defaulted to user 1.

The update also changes how content types are managed: all are now disabled by default, giving developers clearer control. Drush command execution has been tightened to limit exposure, with only whitelisted commands allowed and warnings added for those considered high-risk.

On the connectivity side, version 1.1 introduces initial support for HTTP transport, in addition to STDIO. This allows easier integration with cloud-hosted LLMs via public URLs. Support for Server-Sent Events (SSE) and better authentication are noted as priorities for future releases.

A formal roadmap has been published and will continue to evolve based on community input. High on the list is implementing OAuth-based authorisation—necessary for full MCP compliance. Although a prototype exists, broader coordination is needed since OAuth is not yet part of Drupal core.

Additional goals include enabling HTTP streaming via SSE and integrating with ECA (Event-Condition-Action) actions, a feature that will require collaboration with developer Jürgen Haas and his team.

Documentation and setup guides for the module are available on Omedia’s site. Feedback and collaboration from the Drupal community are encouraged as development continues.