Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
When ENABLE_MULTI_TENANT=true, the HTTP transport documents that the target n8n instance is selected per-request from x-n8n-url / x-n8n-key headers. Requests that omitted those headers - or supplied only one of them - silently fell back to the process-level N8N_API_URL / N8N_API_KEY credentials configured for the operator's own n8n instance. As a result, an authenticated MCP tenant could cause n8n management calls to execute against the operator's instance instead of its own.
This affects HTTP-mode deployments of n8n-mcp that are run as a shared multi-tenant service. Single-tenant deployments (ENABLE_MULTI_TENANT unset or false) are not affected.
Impact
An authenticated MCP tenant exploiting this path could read and write workflows, executions, data-table contents, and credential metadata on the operator's n8n instance. If the operator's n8n permits Code-node execution that reaches OS-level modules, the path could escalate to remote code execution inside the operator's n8n runtime. The process-level N8N_API_KEY is, in practice, a high-privilege key - Community Edition keys are unscoped by default, and even Enterprise scopes were configured for the operator's own needs and would carry over wholesale to a tenant who triggered the fallback.
Patches
Fixed in n8n-mcp 2.51.2. The fix:
- Rejects header-less multi-tenant requests at the HTTP edge with HTTP 400 / JSON-RPC
-32602before any handler runs. - Refuses to construct an env-credential n8n API client when
ENABLE_MULTI_TENANT=true. - Closes secondary leak paths in trigger handlers and in the responses of
n8n_health_check,n8n_diagnostic,n8n_deploy_template, andn8n_audit_instanceso the operator's URL and env-key indicator are not surfaced to tenants.
Single-tenant behavior is unchanged.
Upgrade
# NPM
npx n8n-mcp@latest
# Docker
docker pull ghcr.io/czlonkowski/n8n-mcp:latestWorkarounds
If an immediate upgrade is not possible, any one of the following reduces or eliminates exposure:
- Disable multi-tenant mode. Set
ENABLE_MULTI_TENANT=false(or unset it) and run a separate n8n-mcp instance per tenant with that tenant's ownN8N_API_URL/N8N_API_KEY. This removes the affected code path entirely. - Reject malformed requests at a proxy. Require both
x-n8n-urlandx-n8n-keyheaders on every request and return 400 if either is missing. Neutralizes the primary header-omission path but does not address the secondary response-shape disclosures, so this is a partial mitigation only. - Reduce the blast radius of the operator API key. If your n8n instance supports API key scoping (Enterprise, or a Community Edition build that exposes scopes), provision the operator's
N8N_API_KEYwith the minimum scopes required for the operator's own n8n-mcp functions. This does not close the boundary break but limits what a falling-back tenant can do.
Credit
Reported by @u-ktdi.
AnalysisAI
Cross-tenant credential fallback in n8n-mcp versions 2.51.1 and earlier allows an authenticated MCP tenant on a shared multi-tenant HTTP deployment to operate against the operator's own n8n instance instead of their assigned tenant. When ENABLE_MULTI_TENANT=true and a request omitted (or partially supplied) the x-n8n-url and x-n8n-key headers, n8n-mcp silently fell back to the process-level N8N_API_URL/N8N_API_KEY credentials, granting tenants unintended access to read/write workflows, executions, data-tables, and credential metadata. Patched in 2.51.2; no public exploit identified at time of analysis but the underlying logic is straightforward and the upstream fix commit is publicly visible.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33318
GHSA-jxx9-px88-pj69