Description
n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to version 2.47.11, when n8n-mcp runs in HTTP transport mode, incoming requests to the POST /mcp endpoint had their request metadata written to server logs regardless of the authentication outcome. In deployments where logs are collected, forwarded to external systems, or viewable outside the request trust boundary (shared log storage, SIEM pipelines, support/ops access), this can result in disclosure of: bearer tokens from the Authorization header, per-tenant API keys from the, x-n8n-key header in multi-tenant setups, JSON-RPC request payloads sent to the MCP endpoint. Access control itself was not bypassed — unauthenticated requests were correctly rejected with 401 Unauthorized — but sensitive values from those rejected requests could still be persisted in logs. This issue has been patched in version 2.47.11.
Published: 2026-05-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The n8n-MCP server logs request metadata from POST /mcp requests regardless of authentication outcome, so bearer tokens, per-tenant API keys, and JSON-RPC payloads from rejected requests are recorded in server logs. This exposure of credentials and request data could lead to disclosure to anyone who can view the logs, including external SIEM systems, shared storage, or operators with access.

Affected Systems

The vulnerability affects the n8n-MCP server developed by czlonkowski. Versions prior to 2.47.11 running in HTTP transport mode are impacted; the issue was fixed in release 2.47.11.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate risk, and the lack of available EPSS data suggests no currently known widespread exploitation. The vulnerability is not listed in CISA KEV. Attackers can exploit it by sending unauthenticated POST requests to /mcp; the server logs the request metadata before rejecting the call, so sensitive headers and payloads are written to logs. Since access control itself is not bypassed, the primary threat is accidental disclosure of credentials to anyone with log access.

Generated by OpenCVE AI on May 8, 2026 at 20:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to n8n-MCP v2.47.11 or later where the logging issue is corrected.
  • Configure the logging subsystem to exclude sensitive request headers and payloads for unauthenticated requests, for example by adjusting log filters or disabling request body logging.
  • Restrict access to the /mcp endpoint with authentication and network controls, ensuring that only trusted clients can reach it and that log storage is confined to trusted environments.

Generated by OpenCVE AI on May 8, 2026 at 20:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pfm2-2mhg-8wpx n8n-MCP Logs Sensitive Request Data on Unauthorized /mcp Requests
History

Fri, 08 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Czlonkowski
Czlonkowski n8n-mcp
Vendors & Products Czlonkowski
Czlonkowski n8n-mcp

Fri, 08 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to version 2.47.11, when n8n-mcp runs in HTTP transport mode, incoming requests to the POST /mcp endpoint had their request metadata written to server logs regardless of the authentication outcome. In deployments where logs are collected, forwarded to external systems, or viewable outside the request trust boundary (shared log storage, SIEM pipelines, support/ops access), this can result in disclosure of: bearer tokens from the Authorization header, per-tenant API keys from the, x-n8n-key header in multi-tenant setups, JSON-RPC request payloads sent to the MCP endpoint. Access control itself was not bypassed — unauthenticated requests were correctly rejected with 401 Unauthorized — but sensitive values from those rejected requests could still be persisted in logs. This issue has been patched in version 2.47.11.
Title n8n-MCP Logs Sensitive Request Data on Unauthorized /mcp Requests
Weaknesses CWE-532
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Czlonkowski N8n-mcp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T18:58:24.574Z

Reserved: 2026-04-20T16:14:19.009Z

Link: CVE-2026-41495

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T20:16:30.323

Modified: 2026-05-08T20:16:30.323

Link: CVE-2026-41495

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T22:30:18Z

Weaknesses