mcp-canvas-lms

Name: mcp-canvas-lms
Author: DMontgomery40

Issues

Version 2.2 - 54 tools available - an MCP server for interacting with the Canvas LMS API. This server allows you to manage courses, assignments, enrollments, and grades within Canvas.

100stars

38forks

JavaScript

Installation

# Add to your Claude Code skills
git clone https://github.com/DMontgomery40/mcp-canvas-lms

Getting Started

Guides for using mcp servers skills like mcp-canvas-lms.

Best MCP Servers in 2026
Category-by-category picks: databases, dev tools, productivity, browser automation.
What is an AI Skills Marketplace?
Definitions, how marketplaces work, and how to choose between them in 2026.
Getting Started with AI Skills
First-time install walkthrough for Claude Code, Codex CLI, and ChatGPT.

Security ReportIssues

Last scanned: 6/24/2026

{
  "issues": [
    {
      "type": "npm-audit",
      "message": "@hono/node-server: @hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "@vitest/coverage-v8: Vulnerability found",
      "severity": "critical"
    },
    {
      "type": "npm-audit",
      "message": "ajv: ajv has ReDoS when using `$data` option",
      "severity": "medium"
    },
    {
      "type": "npm-audit",
      "message": "axios: Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "brace-expansion: brace-expansion Regular Expression Denial of Service vulnerability",
      "severity": "medium"
    },
    {
      "type": "npm-audit",
      "message": "esbuild: esbuild allows arbitrary file read when running the development server on Windows",
      "severity": "low"
    },
    {
      "type": "npm-audit",
      "message": "express-rate-limit: express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "fast-uri: fast-uri vulnerable to path traversal via percent-encoded dot segments",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "flatted: flatted vulnerable to unbounded recursion DoS in parse() revive phase",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "follow-redirects: follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets",
      "severity": "medium"
    },
    {
      "type": "npm-audit",
      "message": "form-data: form-data: CRLF injection in form-data via unescaped multipart field names and filenames",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "glob: glob CLI: Command injection via -c/--cmd executes matches with shell:true",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "hono: Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "ip-address: ip-address has XSS in Address6 HTML-emitting methods",
      "severity": "medium"
    },
    {
      "type": "npm-audit",
      "message": "js-yaml: js-yaml has prototype pollution in merge (<<)",
      "severity": "medium"
    },
    {
      "type": "npm-audit",
      "message": "lodash: lodash vulnerable to Code Injection via `_.template` imports key names",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "minimatch: minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "path-to-regexp: path-to-regexp vulnerable to Denial of Service via sequential optional groups",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "picomatch: Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "postcss: PostCSS has XSS via Unescaped </style> in its CSS Stringify Output",
      "severity": "medium"
    },
    {
      "type": "npm-audit",
      "message": "qs: qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set",
      "severity": "medium"
    },
    {
      "type": "npm-audit",
      "message": "shell-quote: shell-quote quote() does not escape newlines in object .op values",
      "severity": "critical"
    },
    {
      "type": "npm-audit",
      "message": "vite: Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "vitest: When Vitest UI server is listening, arbitrary file can be read and executed",
      "severity": "critical"
    },
    {
      "type": "npm-audit",
      "message": "yaml: yaml is vulnerable to Stack Overflow via deeply nested YAML collections",
      "severity": "medium"
    }
  ],
  "status": "FAILED",
  "scannedAt": "2026-06-24T07:39:56.393Z",
  "npmAuditRan": true,
  "pipAuditRan": true,
  "promptInjectionRan": true
}

README.md

Frequently Asked Questions

What is mcp-canvas-lms?

mcp-canvas-lms is an open-source mcp servers skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by DMontgomery40. Version 2.2 - 54 tools available - an MCP server for interacting with the Canvas LMS API. This server allows you to manage courses, assignments, enrollments, and grades within Canvas. It has 100 GitHub stars.

Is mcp-canvas-lms safe to use?

mcp-canvas-lms failed SkillsLLM's automated security scan, which flagged one or more high-severity issues. Review the Security Report section carefully before using it.

How do I install mcp-canvas-lms?

Clone the repository with "git clone https://github.com/DMontgomery40/mcp-canvas-lms" and add it to your Claude Code skills directory (see the Installation section above).

What programming language is mcp-canvas-lms written in?

mcp-canvas-lms is primarily written in JavaScript. It is open-source under DMontgomery40 on GitHub, so you can review or fork the full source.

Are there alternatives to mcp-canvas-lms?

Yes. SkillsLLM lists many other MCP Servers skills you can browse and compare side by side. Open the MCP Servers category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh mcp-canvas-lms against similar tools.

MCP for Beginners

Build MCP servers that give AI assistants real capabilities

36 minBeginner

Comments (0)

to leave a comment.

No comments yet. Be the first to share your thoughts!

Related Skills

ECC

by affaan-m

The agent harness performance optimization system. Skills, instincts, memory, security, and research-first development for Claude Code, Codex, Opencode, Cursor and beyond.

220,737

Popular in MCP Servers

Top skills in this category by stars

TrendRadar

by sansan0

⭐AI-driven public opinion & trend monitor with multi-platform aggregation, RSS, and smart alerts.🎯 告别信息过载，你的 AI 舆情监控助手与热点筛选工具！聚合多平台热点 + RSS 订阅，支持关键词精准筛选。AI 智能筛选新闻 + AI 翻译 + AI 分析简报直推手机，也支持接入 MCP 架构，赋能 AI 自然语言对话分析、情感洞察与趋势预测等。支持 Docker ，数据本地/云端自持。集成微信/飞书/钉钉/Telegram/邮件/ntfy/bark/slack 等渠道智能推送。

cve-search_mcp medical-mcp

Canvas MCP Server v2.3.0

Security and disclosure history

This project is an independent MCP server for Canvas LMS APIs. It is not affiliated with, endorsed by, or maintained by Instructure or Canvas.

In June 2025, during development of this MCP, I identified a Broken Access Control issue in the Canvas environment at bootcampspot.instructure.com. The issue exposed personally identifiable information for other students enrolled in my course.

I reported the issue through Bugcrowd on June 5, 2025, and also contacted Instructure / Canvas security channels directly. The Bugcrowd report was later closed as "Not Applicable." In subsequent correspondence, Instructure stated that the bootcampspot.instructure.com environment was outside its control.

Public references:

Disclosure thread: https://www.reddit.com/r/cybersecurity/comments/1t6wmkw/reported_a_broken_access_control_bug_to/
Bugcrowd activity timeline: https://imgur.com/gallery/canvas-vuln-declared-n-11-months-ago-zYfHnBs
Later Instructure / BootcampSpot correspondence: https://imgur.com/a/BnhgXme

This repository does not publish exploit steps, affected tenant details beyond what is already public, live URLs, screenshots containing student data, or proof-of-concept abuse flows.

Separately, Instructure publicly disclosed a Canvas security incident in May 2026, and public reporting has linked the incident to ShinyHunters claims. This repository makes no claim that the June 2025 report caused, enabled, predicted, or is technically connected to the May 2026 incident.

This disclosure is documented here for project history and transparency only.

What this is

A comprehensive Model Context Protocol (MCP) server for Canvas LMS with complete student, instructor, and account administration functionality

🚀 What's New in v2.3.0

🌐 NEW: Streamable HTTP transport support (MCP_TRANSPORT=streamable-http)
🖥️ Preserved: First-class stdio transport for local MCP clients
🧪 Added: Behavior tests for lifecycle, transports, and structured failure-path errors
🧱 Improved: Stricter tool schemas and codemode-oriented tool descriptions
🔧 FIXED: Course creation "page not found" error (missing account_id parameter)
👨‍💼 Account Management: Complete account-level administration tools
📊 Reports & Analytics: Generate and access Canvas account reports
👥 User Management: Create and manage users at the account level
🏢 Multi-Account Support: Handle account hierarchies and sub-accounts
✅ API Compliance: All endpoints now follow proper Canvas API patterns

🎯 Key Features

🎓 For Students

Course Management: Access all courses, syllabi, and course materials
Assignment Workflow: View, submit (text/URL/files), and track assignments
Communication: Participate in discussions, read announcements, send messages
Progress Tracking: Monitor grades, module completion, and calendar events
Quizzes: Take quizzes, view results and feedback
File Access: Browse and download course files and resources

👨‍🏫 For Instructors

Course Creation: Create and manage course structure (now with proper account support)
Grading: Grade submissions, provide feedback, manage rubrics
User Management: Enroll students, manage permissions
Content Management: Create assignments, quizzes, discussions

👨‍💼 For Account Administrators (NEW!)

Account Management: Manage institutional Canvas accounts
User Administration: Create and manage users across accounts
Course Oversight: List and manage all courses within accounts
Reporting: Generate enrollment, grade, and activity reports
Sub-Account Management: Handle account hierarchies and structures

🛠️ Technical Excellence

Robust API: Automatic retries, pagination, comprehensive error handling
Cloud Ready: Docker containers, Kubernetes manifests, health checks
Well Tested: Unit tests, integration tests, mocking, coverage reports
Type Safe: Full TypeScript implementation with strict types
50+ Tools: Comprehensive coverage of Canvas LMS functionality

Quick Start

Option 1: Claude Desktop Integration (Recommended MCP Setup)

Add to claude_desktop_config.json:

{
  "mcpServers": {
    "canvas-mcp-server": {
      "command": "npx",
      "args": ["-y", "canvas-mcp-server"],
      "env": {
        "CANVAS_API_TOKEN": "your_token_here",
        "CANVAS_DOMAIN": "your_school.instructure.com"
      }
    }
  }
}

Option 2: NPM Package

# Install globally
npm install -g canvas-mcp-server

# Configure
export CANVAS_API_TOKEN="your_token_here"
export CANVAS_DOMAIN="your_school.instructure.com"

# Run
canvas-mcp-server

Option 3: Docker

docker run -d \
  --name canvas-mcp \
  -p 3000:3000 \
  -e CANVAS_API_TOKEN="your_token" \
  -e CANVAS_DOMAIN="school.instructure.com" \
  -e MCP_TRANSPORT="streamable-http" \
  -e MCP_HTTP_HOST="0.0.0.0" \
  -e MCP_HTTP_PORT="3000" \
  -e MCP_HTTP_PATH="/mcp" \
  ghcr.io/dmontgomery40/mcp-canvas-lms:latest

Transport Modes

The server supports two explicit transport modes:

stdio (default): best for Claude Desktop/Codex/Cursor local MCP wiring.
streamable-http: best for local HTTP integrations and containerized workflows.

Transport environment variables

# Required Canvas auth
CANVAS_API_TOKEN=your_token
CANVAS_DOMAIN=your_school.instructure.com

# Transport selection
MCP_TRANSPORT=stdio # or streamable-http

# Streamable HTTP settings
MCP_HTTP_HOST=127.0.0.1
MCP_HTTP_PORT=3000
MCP_HTTP_PATH=/mcp
MCP_HTTP_STATEFUL=true
MCP_HTTP_JSON_RESPONSE=true
MCP_HTTP_ALLOWED_ORIGINS=

💼 Account Admin Workflow Examples

Create a New Course (FIXED!)

"Create a new course called 'Advanced Biology' in account 123"

Now properly creates courses with required account_id parameter

Manage Users

"Create a new student user John Doe with email john.doe@school.edu in our main account"

Creates user accounts with proper pseudonym and enrollment setup

Generate Reports

"Generate an enrollment report for account 456 for the current term"

Initiates Canvas reporting system for institutional analytics

List Account Courses

"Show me all published Computer Science courses in our Engineering account"

Advanced filtering and searching across account course catalogs

🎓 Student Workflow Examples

Check Today's Assignments

"What assignments do I have due this week?"

Lists upcoming assignments with due dates, points, and submission status

Submit an Assignment

"Help me submit my essay for English 101 Assignment 3"

Guides through text submission with formatting options

Check Grades

"What's my current grade in Biology?"

Shows current scores, grades, and assignment feedback

Participate in Discussions

"Show me the latest discussion posts in my Philosophy class"

Displays recent discussion topics and enables posting responses

Track Progress

"What modules do I need to complete in Math 200?"

Shows module completion status and next items to complete

Getting Canvas API Token

Log into Canvas → Account → Settings
Scroll to "Approved Integrations"
Click "+ New Access Token"
Enter description: "Claude MCP Integration"
Copy the generated token Save securely!

⚠️ Account Admin Note: For account-level operations, ensure your API token has administrative privileges.

Production Deployment

Docker Compose

git clone https://github.com/DMontgomery40/mcp-canvas-lms.git
cd mcp-canvas-lms
cp .env.example .env
# Edit .env with your Canvas credentials
docker-compose up -d

Kubernetes

kubectl create secret generic canvas-mcp-secrets \
  --from-literal=CANVAS_API_TOKEN="your_token" \
  --from-literal=CANVAS_DOMAIN="school.instructure.com"

kubectl apply -f k8s/

Health Monitoring

# Check application health
curl http://localhost:3000/health

# Or use the built-in health check
npm run health-check

Development

# Setup development environment
git clone https://github.com/DMontgomery40/mcp-canvas-lms.git
cd mcp-canvas-lms
npm install

# Start development with hot reload
npm run dev:watch

# Run tests
npm run test
npm run coverage

# Code quality
npm run lint
npm run type-check

📚 Available Tools (50+ Tools)

canvas_health_check - Check API connectivity
canvas_list_courses - List all your courses
canvas_get_course - Get detailed course info
canvas_list_assignments - List course assignments
canvas_get_assignment - Get assignment details
canvas_submit_assignment - Submit assignment work
canvas_get_submission - Check submission status
canvas_list_modules - List course modules
canvas_get_module - Get module details
canvas_list_module_items - List items in a module
canvas_mark_module_item_complete - Mark items complete
canvas_list_discussion_topics - List discussion topics
canvas_get_discussion_topic - Get discussion details
canvas_post_to_discussion - Post to discussions
canvas_list_announcements - List course announcements
canvas_get_user_grades - Get your grades
canvas_get_course_grades - Get course-specific grades
canvas_get_dashboard - Get dashboard info
canvas_get_dashboard_cards - Get course cards
canvas_get_upcoming_assignments - Get due dates
canvas_list_calendar_events - List calendar events
canvas_list_files - List course files
canvas_get_file - Get file details
canvas_list_folders - List course folders
canvas_list_pages - List course pages
canvas_get_page - Get page content
canvas_list_conversations - List messages
canvas_get_conversation - Get conversation d