CVE-2026-41495

Name of the Vulnerable Software and Affected Versions n8n-mcp versions prior to 2.47.11

Description When running in HTTP transport mode, incoming requests to the 'POST /mcp' endpoint have their request metadata written to server logs regardless of whether authentication is successful. This can lead to the disclosure of sensitive information in environments where logs are collected or forwarded to external systems, such as SIEM pipelines or shared storage. Exposed data may include bearer tokens from the Authorization header, per-tenant API keys from the x-n8n-key header in multi-tenant configurations, and JSON-RPC request payloads. While unauthenticated requests are correctly rejected with a 401 Unauthorized response, the sensitive values from these requests are still persisted in the logs.

Recommendations Update to version 2.47.11 or later. Restrict network access to the HTTP port using a firewall, reverse proxy, or VPN to ensure only trusted clients can reach the endpoint. Switch to stdio transport by setting MCP MODE=stdio to eliminate the HTTP surface.