CVE-2026-42282

Name of the Vulnerable Software and Affected Versions n8n-mcp versions prior to 2.47.13

Description When running in HTTP transport mode, authenticated tools/call requests have their full arguments and JSON-RPC parameters written to server logs by the request dispatcher and related code paths before redaction occurs. This can lead to the disclosure of sensitive information in environments where logs are collected or forwarded to external systems, such as SIEM pipelines or shared storage. Exposed data may include bearer tokens, OAuth credentials sent via n8n manage credentials.data, per-tenant API keys, webhook authentication headers, and other secret-bearing payloads. The issue requires a valid AUTH TOKEN for authentication. While a console-silencing layer exists in HTTP mode, it is fragile and does not prevent values from being passed to the logger.

Recommendations Update to version 2.47.13 or later. Restrict access to the HTTP port using a firewall, reverse proxy, or VPN to ensure only trusted clients can authenticate. Restrict access to server logs and disable shared SIEM ingestion until the update is applied. Switch to stdio transport by setting MCP MODE=stdio to avoid the affected HTTP surface and log calls.