Description
n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to version 2.47.13, when n8n-mcp runs in HTTP transport mode, authenticated MCP tools/call requests had their full arguments and JSON-RPC params written to server logs by the request dispatcher and several sibling code paths before any redaction. When a tool call carries credential material — most notably n8n_manage_credentials.data — the raw values can be persisted in logs. In deployments where logs are collected, forwarded to external systems, or viewable outside the request trust boundary (shared log storage, SIEM pipelines, support/ops access), this can result in disclosure of: bearer tokens and OAuth credentials sent through n8n_manage_credentials, per-tenant API keys and webhook auth headers embedded in tool arguments, arbitrary secret-bearing payloads passed to any MCP tool. The issue requires authentication (AUTH_TOKEN accepted by the server), so unauthenticated callers cannot trigger it; the runtime exposure is also reduced by an existing console-silencing layer in HTTP mode, but that layer is fragile and the values are still constructed and passed into the logger. This issue has been patched in version 2.47.13.
Published: 2026-05-08
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability causes full arguments and JSON‑RPC parameters of authenticated MCP tool calls to be written to the server logs before any redaction is performed. When those arguments contain credential material—such as bearer tokens, OAuth secrets, per‑tenant API keys, webhook authentication headers, or arbitrary secret‑bearing payloads—the raw values are persisted in logs that may be accessible outside the trusted request boundary. This exposure can lead to disclosure of sensitive authentication information and other secrets.

Affected Systems

The affected product is n8n‑mcp, a computational‑modeling platform for AI assistant integration built by the vendor identified as “czlonkowski:n8n‑mcp.” All releases prior to version 2.47.13 are impacted; version 2.47.13 and later contain the patch that eliminates the logging of full tool‑call arguments in HTTP transport mode.

Risk and Exploitability

The CVSS score of this issue is 4.3, indicating a moderate severity. Because the flaw requires that the caller be authenticated and the application is running in HTTP mode, the attack vector is limited to legitimate users with valid credentials. However, in environments where logs are exported to SIEMs, shared log storage, or other external systems, the exposed data could be collected and examined by adversaries or third‑party operators, resulting in potential compromise of token or API key security. The EPSS score is unavailable and the vulnerability is not listed in CISA’s KEV catalog, suggesting that exploitation is not widely observed yet, but the potential for data leakage remains significant if logs are not properly protected.

Generated by OpenCVE AI on May 8, 2026 at 20:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade n8n‑mcp to version 2.47.13 or later to eliminate the logging of raw MCP tool‑call arguments.
  • Configure your logging infrastructure to suppress or mask sensitive fields, or strip credentials from logs before storage when using HTTP transport mode.
  • Restrict access to log files and SIEM pipelines to trusted operators and audit log retention policies to ensure that leaked credentials are not retained longer than necessary.

Generated by OpenCVE AI on May 8, 2026 at 20:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wg4g-395p-mqv3 n8n-MCP: Sensitive MCP tool-call arguments logged on authenticated requests in HTTP mode
History

Fri, 08 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Czlonkowski
Czlonkowski n8n-mcp
Vendors & Products Czlonkowski
Czlonkowski n8n-mcp

Fri, 08 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to version 2.47.13, when n8n-mcp runs in HTTP transport mode, authenticated MCP tools/call requests had their full arguments and JSON-RPC params written to server logs by the request dispatcher and several sibling code paths before any redaction. When a tool call carries credential material — most notably n8n_manage_credentials.data — the raw values can be persisted in logs. In deployments where logs are collected, forwarded to external systems, or viewable outside the request trust boundary (shared log storage, SIEM pipelines, support/ops access), this can result in disclosure of: bearer tokens and OAuth credentials sent through n8n_manage_credentials, per-tenant API keys and webhook auth headers embedded in tool arguments, arbitrary secret-bearing payloads passed to any MCP tool. The issue requires authentication (AUTH_TOKEN accepted by the server), so unauthenticated callers cannot trigger it; the runtime exposure is also reduced by an existing console-silencing layer in HTTP mode, but that layer is fragile and the values are still constructed and passed into the logger. This issue has been patched in version 2.47.13.
Title n8n-MCP: Sensitive MCP tool-call arguments logged on authenticated requests in HTTP mode
Weaknesses CWE-532
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Czlonkowski N8n-mcp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T19:07:13.823Z

Reserved: 2026-04-26T12:13:55.550Z

Link: CVE-2026-42282

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T20:16:31.717

Modified: 2026-05-08T20:16:31.717

Link: CVE-2026-42282

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T22:30:18Z

Weaknesses