Skip to main content

n8n-MCP CVE-2026-42282

| EUVDEUVD-2026-28824 MEDIUM
Insertion of Sensitive Information into Log File (CWE-532)
2026-05-08 GitHub_M
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 08, 2026 - 20:01 vuln.today
Analysis Generated
May 08, 2026 - 20:01 vuln.today
CVE Published
May 08, 2026 - 19:07 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to version 2.47.13, when n8n-mcp runs in HTTP transport mode, authenticated MCP tools/call requests had their full arguments and JSON-RPC params written to server logs by the request dispatcher and several sibling code paths before any redaction. When a tool call carries credential material - most notably n8n_manage_credentials.data - the raw values can be persisted in logs. In deployments where logs are collected, forwarded to external systems, or viewable outside the request trust boundary (shared log storage, SIEM pipelines, support/ops access), this can result in disclosure of: bearer tokens and OAuth credentials sent through n8n_manage_credentials, per-tenant API keys and webhook auth headers embedded in tool arguments, arbitrary secret-bearing payloads passed to any MCP tool. The issue requires authentication (AUTH_TOKEN accepted by the server), so unauthenticated callers cannot trigger it; the runtime exposure is also reduced by an existing console-silencing layer in HTTP mode, but that layer is fragile and the values are still constructed and passed into the logger. This issue has been patched in version 2.47.13.

AnalysisAI

n8n-MCP prior to version 2.47.13 logs sensitive credential material from authenticated MCP tool-call requests when running in HTTP transport mode, allowing disclosure of bearer tokens, OAuth credentials, API keys, and webhook authentication headers to any system with access to server logs. The vulnerability requires valid authentication (AUTH_TOKEN) and affects deployments where logs are collected, forwarded to external systems, or viewable outside the request trust boundary; no public exploit code has been identified.

Technical ContextAI

n8n-MCP is a Model Context Protocol (MCP) server that exposes n8n node documentation and operations to AI assistants. The vulnerability exists in the HTTP transport request dispatcher and related code paths that log full MCP tool-call arguments and JSON-RPC parameters before redaction. The affected code does not sanitize credential material carried in tool arguments, particularly the n8n_manage_credentials.data field. The root cause is an insertion of sensitive information into log files (CWE-532). The vulnerability is specific to HTTP transport mode (MCP_MODE=http); the default stdio transport short-circuits the affected logging calls and is not affected in practice. An existing console-silencing layer in HTTP mode provides partial mitigation but is described as fragile, with credential values still constructed and passed into the logger before being potentially suppressed.

RemediationAI

Immediately upgrade to n8n-MCP version 2.47.13 or later. For npm deployments, execute npx n8n-mcp@latest or update package.json to require n8n-mcp@>=2.47.13; for Docker deployments, pull ghcr.io/czlonkowski/n8n-mcp:latest. The patch routes tool-call arguments through a metadata-only summarizer (summarizeToolCallArgs) that records type, top-level key names, and approximate size without exposing values. If immediate upgrade is not possible, implement the following compensating controls with noted trade-offs: (1) restrict network access to the HTTP port via firewall or reverse proxy to allow only trusted authenticated clients - this reduces exposure surface but does not prevent credential leakage from trusted clients, and may complicate legitimate integrations; (2) restrict access to server logs at the infrastructure level, preventing SIEM ingestion, disabling support/ops read-only log access, and using private log storage - this mitigates disclosure but degrades observability and troubleshooting until patching completes; (3) switch to stdio transport (MCP_MODE=stdio, the default for CLI invocation), which has no HTTP surface and short-circuits the affected logging code - this eliminates the vulnerability but changes deployment architecture and may not be compatible with existing integrations expecting HTTP transport. Each workaround introduces operational friction and should be considered temporary pending the patch deployment.

Share

CVE-2026-42282 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy