Impact
n8n is an open source workflow automation platform. Prior to versions 2.25.7 and 2.26.2, when its @n8n/mcp-browser component is configured to use HTTP transport, it accepts session initialization and tool invocation requests without authentication. Any network‑reachable client, or any website that a user visits, can therefore create an MCP session and invoke browser‑control tools. If the n8n AI Browser Bridge extension is installed and a browser connection is live, an unauthenticated caller can control the user's actual browser profile, navigating pages, evaluating JavaScript, and accessing cookies and web storage. This vulnerability represents a CWE‑306 weakness: it is a lack of authentication. These capabilities can lead to unauthorized editing or reading of user data, privilege escalation within the browser context, and potential compromise of confidential information stored in the user's profile. The issue was fixed in n8n releases 2.25.7 and 2.26.2.
Affected Systems
All n8n installations running a version earlier than 2.25.7 (or earlier than 2.26.2 in the 2.26 series) that use the @n8n/mcp-browser package with the --transport http flag are affected. The flaw does not apply to builds that use WebSocket transport or to newer n8n releases that include the fix.
Risk and Exploitability
The CVSS score of 8.8 classifies the weakness as high severity. No EPSS score is available, and it is not listed in the CISA KEV catalog. Because the MCP endpoint accepts unauthenticated requests when the HTTP transport is enabled, a remote attacker with network access can easily exploit the flaw; any website visited by the user or any host that can reach the n8n service can create a session. This creates a significant risk of data theft from the user's browser profile and potential execution of malicious scripts. The vulnerability was mitigated in n8n releases 2.25.7 and 2.26.2.
OpenCVE Enrichment
Github GHSA