Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable endpoint with no auth (PR:N, UI:N); driving a live browser yields high confidentiality and integrity impact, low availability.
Primary rating from Vendor (https://github.com/n8n-io/n8n).
CVSS VectorVendor: https://github.com/n8n-io/n8n
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Impact
When @n8n/mcp-browser is run in HTTP transport mode, the MCP endpoint accepts session initialization and tool invocation requests without any authentication. Any network-reachable client, or any website visited by the user, can establish an MCP session and invoke browser-control tools.
Where the n8n AI Browser Bridge extension is installed and a browser connection is active, an unauthenticated caller can access browser-control capabilities including navigation, JavaScript evaluation, and cookie and storage access against the user's real browser profile.
This issue only affects instances where @n8n/mcp-browser is run with the HTTP transport (--transport http). The default transport is stdio, which is not affected.
Patches
The issue has been fixed in n8n versions 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability.
Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Avoid running
@n8n/mcp-browserwith the HTTP transport; use the default stdio transport instead. - If HTTP transport is required, restrict network access to the listening port to trusted clients only using host-based firewall rules.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
AnalysisAI
Unauthenticated browser hijacking in n8n's @n8n/mcp-browser package (versions <2.25.7 and 2.26.0-2.26.1) allows any network-reachable attacker or malicious website to invoke browser-control tools against a victim's real browser profile when HTTP transport is enabled. No public exploit identified at time of analysis, but the missing-authentication flaw (CWE-306) requires only that the operator started the MCP endpoint with --transport http and has the n8n AI Browser Bridge extension active.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the operator launched @n8n/mcp-browser with the --transport http flag (non-default; default stdio is not vulnerable), that the n8n AI Browser Bridge browser extension is installed, and that an active browser connection exists between the extension and the MCP server. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 8.8 (AV:N/AC:L/AT:N/PR:N/UI:N, VC:L/VI:H/VA:L) is well-justified for the affected configuration: no authentication, no user interaction, and high integrity impact because an attacker can drive an authenticated browser session. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An operator runs @n8n/mcp-browser with --transport http on a workstation that also has the n8n AI Browser Bridge extension connected to their logged-in Chrome profile. The user then visits an attacker-controlled webpage, which issues a cross-origin POST to the local MCP endpoint to initialize a session and invoke the navigation and JavaScript-evaluation tools, exfiltrating session cookies and authenticated content from sites the victim is logged into. |
| Remediation | Vendor-released patch: upgrade n8n to 2.25.7 (for the 2.25.x line) or 2.26.2 (for the 2.26.x line) or later, per GHSA-qrx8-25qr-5r7v (https://github.com/n8n-io/n8n/security/advisories/GHSA-qrx8-25qr-5r7v). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all n8n deployments running @n8n/mcp-browser and verify which have HTTP transport enabled; audit active instances. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38468
GHSA-qrx8-25qr-5r7v