Skip to main content

n8n-mcp EUVDEUVD-2026-33319

| CVE-2026-45582 MEDIUM
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-05-18 https://github.com/czlonkowski/n8n-mcp GHSA-f3rg-xqjj-cj9w
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 18, 2026 - 14:02 vuln.today
Analysis Generated
May 18, 2026 - 14:02 vuln.today

DescriptionGitHub Advisory

Summary

In affected versions of n8n-mcp, the workflow telemetry sanitizer could retain partial fragments of URL-shaped node parameters before sending workflow data to the project's anonymous telemetry backend. Values placed in HTTP-Request-style node parameters - such as customer or tenant identifiers, short secrets embedded in query strings, and signed request parameters - could therefore appear in stored telemetry, contrary to the collection boundary documented in PRIVACY.md.

Impact

Operators with access to the project's telemetry backend could read partial fragments of workflow URL parameters that should not have been collected. The bug was scoped to URL-shaped fields in workflow *definitions*; credentials, OAuth tokens, and workflow *execution* data are not affected - credentials are removed by a separate code path, and long secrets and known-provider tokens are matched by dedicated patterns.

Patches

Fixed in n8n-mcp 2.51.3. Upgrading is the recommended remediation.

Workarounds

For users who cannot upgrade immediately, disable anonymous telemetry by setting any of these environment variables to true:

  • N8N_MCP_TELEMETRY_DISABLED
  • TELEMETRY_DISABLED
  • DISABLE_TELEMETRY

Credit

Reported by @u-ktdi.

AnalysisAI

Incomplete telemetry sanitization in n8n-mcp (all versions before 2.51.3) caused the WorkflowSanitizer to transmit partial URL paths and query strings - including customer IDs, tenant identifiers, signed-request parameters, and short tokens below the 20-character generic-token threshold - to the project's anonymous Supabase-hosted telemetry backend. Any operator with read access to the telemetry_workflows or workflow_mutations Supabase tables could retrieve these fragments from workflow definitions, contrary to the privacy guarantees documented in PRIVACY.md. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the CVSS confidentiality impact is rated High (C:H), reflecting the potential sensitivity of the leaked parameters.

Technical ContextAI

The root cause is CWE-201 (Insertion of Sensitive Information Into Sent Data): the WorkflowSanitizer's sanitizeString function performed a hostname-only substitution - replacing the domain portion of url, endpoint, and webhook field values with the placeholder [domain] - but left URL paths and query strings intact before forwarding telemetry payloads to Supabase. The affected package is pkg:npm/n8n-mcp; n8n-mcp wraps n8n workflow automation as an MCP (Model Context Protocol) server. HTTP-Request-style nodes in n8n frequently encode identifiers and tokens as URL path segments or query parameters, making them the primary leakage surface. The mutation telemetry path (sanitizeWorkflowRaw) shared the same flawed code path and was identically affected. As a defense-in-depth gap, the event-validator schema accepted nodes: z.array(z.any()), meaning unknown top-level node keys were also not rejected before serialization.

RemediationAI

Upgrade to n8n-mcp 2.51.3 or later - this is the vendor-confirmed fix (vendor-released patch: 2.51.3, applied in PR #782 at https://github.com/czlonkowski/n8n-mcp/pull/782 and commit 6cf6fef653fcd6d598f2f356aac4754931c7329f). The upgrade fully redacts url, endpoint, webhook, and similarly named fields to [REDACTED_URL] rather than preserving path and query components. Note that this is a breaking change for any consumers of local telemetry analytics who parse the previous partial-URL format. For deployments that cannot upgrade immediately, disable anonymous telemetry entirely by setting one of the following environment variables to true: N8N_MCP_TELEMETRY_DISABLED, TELEMETRY_DISABLED, or DISABLE_TELEMETRY. This workaround prevents all workflow data from reaching the Supabase backend but also eliminates telemetry-based features entirely. Organizations should audit existing Supabase telemetry_workflows and workflow_mutations table records for URL path and query-string fragments that may have been collected prior to upgrading.

Share

EUVD-2026-33319 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy