Description
n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.2, when ENABLE_MULTI_TENANT=true, the HTTP transport documents that the target n8n instance is selected per-request from x-n8n-url / x-n8n-key headers. Requests that omitted those headers — or supplied only one of them — silently fell back to the process-level N8N_API_URL / N8N_API_KEY credentials configured for the operator's own n8n instance. As a result, an authenticated MCP tenant could cause n8n management calls to execute against the operator's instance instead of its own. This affects HTTP-mode deployments of n8n-mcp that are run as a shared multi-tenant service. Single-tenant deployments (ENABLE_MULTI_TENANT unset or false) are not affected. This vulnerability is fixed in 2.51.2.
Published: 2026-05-29
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

n8n-MCP is a multi‑tenant server that exposes AI assistants to n8n node documentation and management APIs. When multi‑tenant mode is enabled, the target n8n instance is selected for each request by the x-n8n-url and x-n8n-key headers. If a request omits one or both of these headers, the server silently falls back to the process‑level N8N_API_URL and N8N_API_KEY credentials that belong to the operator’s own instance. As a result, an authenticated tenant can issue management calls that act against the operator’s n8n instance, potentially modifying data or initiating arbitrary actions. This reflects an insecure permission handling weakness (CWE‑284).

Affected Systems

The vulnerability affects the czlonkowski:n8n‑mcp product, versions prior to 2.51.2, when ENABLE_MULTI_TENANT is set to true and the service is deployed in HTTP mode as a shared multi‑tenant service. Single‑tenant configurations are not impacted.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers only need authenticated access to the MCP tenant and the ability to send HTTP requests; no additional conditions are required. The likely attack vector is HTTP requests to the MCP server that omit the tenant headers, causing the fallback to operator credentials. Because the operator’s API key is used, the attacker can perform privileged operations on the operator’s n8n instance.

Generated by OpenCVE AI on May 29, 2026 at 15:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade n8n‑mcp to version 2.51.2 or later.
  • If multi‑tenant mode is required, enforce that every request contains both x‑n8n‑url and x‑n8n‑key headers and validate them against a whitelist of permitted tenants. If multi‑tenant mode is not needed, disable ENABLE_MULTI_TENANT.
  • Monitor the n8n‑mcp API logs for any unauthorized management operations and review tenant configurations to prevent abuse.

Generated by OpenCVE AI on May 29, 2026 at 15:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jxx9-px88-pj69 n8n-MCP: Multi-tenant MCP requests fall back to process-level n8n credentials when tenant headers are absent or incomplete
History

Fri, 29 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Czlonkowski
Czlonkowski n8n-mcp
Vendors & Products Czlonkowski
Czlonkowski n8n-mcp

Fri, 29 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.2, when ENABLE_MULTI_TENANT=true, the HTTP transport documents that the target n8n instance is selected per-request from x-n8n-url / x-n8n-key headers. Requests that omitted those headers — or supplied only one of them — silently fell back to the process-level N8N_API_URL / N8N_API_KEY credentials configured for the operator's own n8n instance. As a result, an authenticated MCP tenant could cause n8n management calls to execute against the operator's instance instead of its own. This affects HTTP-mode deployments of n8n-mcp that are run as a shared multi-tenant service. Single-tenant deployments (ENABLE_MULTI_TENANT unset or false) are not affected. This vulnerability is fixed in 2.51.2.
Title n8n-MCP: Multi-tenant MCP requests fall back to process-level n8n credentials when tenant headers are absent or incomplete
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Czlonkowski N8n-mcp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T13:35:42.281Z

Reserved: 2026-05-13T04:38:01.166Z

Link: CVE-2026-45707

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T14:16:31.240

Modified: 2026-05-29T15:06:44.207

Link: CVE-2026-45707

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:30:04Z

Weaknesses