CVE-2026-45582

Name of the Vulnerable Software and Affected Versions n8n-MCP versions prior to 2.51.3

Description The workflow telemetry sanitizer may retain partial fragments of URL-shaped node parameters before transmitting workflow data to the anonymous telemetry backend. This allows values within HTTP-Request-style node parameters, such as tenant identifiers, short secrets in query strings, and signed request parameters, to be stored in telemetry. This issue is limited to URL-shaped fields in workflow definitions; credentials, OAuth tokens, and workflow execution data remain unaffected as they are handled by separate removal processes and dedicated patterns.

Recommendations Update to version 2.51.3. As a temporary workaround, disable anonymous telemetry by setting any of the following environment variables to true: N8N MCP TELEMETRY DISABLED, TELEMETRY DISABLED, or DISABLE TELEMETRY.