Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to version 2.47.13, when n8n-mcp runs in HTTP transport mode, authenticated MCP tools/call requests had their full arguments and JSON-RPC params written to server logs by the request dispatcher and several sibling code paths before any redaction. When a tool call carries credential material - most notably n8n_manage_credentials.data - the raw values can be persisted in logs. In deployments where logs are collected, forwarded to external systems, or viewable outside the request trust boundary (shared log storage, SIEM pipelines, support/ops access), this can result in disclosure of: bearer tokens and OAuth credentials sent through n8n_manage_credentials, per-tenant API keys and webhook auth headers embedded in tool arguments, arbitrary secret-bearing payloads passed to any MCP tool. The issue requires authentication (AUTH_TOKEN accepted by the server), so unauthenticated callers cannot trigger it; the runtime exposure is also reduced by an existing console-silencing layer in HTTP mode, but that layer is fragile and the values are still constructed and passed into the logger. This issue has been patched in version 2.47.13.
AnalysisAI
n8n-MCP prior to version 2.47.13 logs sensitive credential material from authenticated MCP tool-call requests when running in HTTP transport mode, allowing disclosure of bearer tokens, OAuth credentials, API keys, and webhook authentication headers to any system with access to server logs. The vulnerability requires valid authentication (AUTH_TOKEN) and affects deployments where logs are collected, forwarded to external systems, or viewable outside the request trust boundary; no public exploit code has been identified.
Technical ContextAI
n8n-MCP is a Model Context Protocol (MCP) server that exposes n8n node documentation and operations to AI assistants. The vulnerability exists in the HTTP transport request dispatcher and related code paths that log full MCP tool-call arguments and JSON-RPC parameters before redaction. The affected code does not sanitize credential material carried in tool arguments, particularly the n8n_manage_credentials.data field. The root cause is an insertion of sensitive information into log files (CWE-532). The vulnerability is specific to HTTP transport mode (MCP_MODE=http); the default stdio transport short-circuits the affected logging calls and is not affected in practice. An existing console-silencing layer in HTTP mode provides partial mitigation but is described as fragile, with credential values still constructed and passed into the logger before being potentially suppressed.
RemediationAI
Immediately upgrade to n8n-MCP version 2.47.13 or later. For npm deployments, execute npx n8n-mcp@latest or update package.json to require n8n-mcp@>=2.47.13; for Docker deployments, pull ghcr.io/czlonkowski/n8n-mcp:latest. The patch routes tool-call arguments through a metadata-only summarizer (summarizeToolCallArgs) that records type, top-level key names, and approximate size without exposing values. If immediate upgrade is not possible, implement the following compensating controls with noted trade-offs: (1) restrict network access to the HTTP port via firewall or reverse proxy to allow only trusted authenticated clients - this reduces exposure surface but does not prevent credential leakage from trusted clients, and may complicate legitimate integrations; (2) restrict access to server logs at the infrastructure level, preventing SIEM ingestion, disabling support/ops read-only log access, and using private log storage - this mitigates disclosure but degrades observability and troubleshooting until patching completes; (3) switch to stdio transport (MCP_MODE=stdio, the default for CLI invocation), which has no HTTP surface and short-circuits the affected logging code - this eliminates the vulnerability but changes deployment architecture and may not be compatible with existing integrations expecting HTTP transport. Each workaround introduces operational friction and should be considered temporary pending the patch deployment.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28824