PT-2026-41794 · Czlonkowski+3 · N8N-Mcp
U-Ktdi
·
Published
2026-05-18
·
Updated
2026-05-29
·
CVE-2026-45707
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
n8n-mcp versions prior to 2.51.2
Description
In HTTP-mode deployments run as a shared multi-tenant service where
ENABLE MULTI TENANT is set to true, the system selects the target n8n instance per-request using the x-n8n-url and x-n8n-key headers. Requests that omit these headers, or provide only one of them, silently fall back to the process-level N8N API URL and N8N API KEY credentials of the operator's own instance. This allows an authenticated MCP tenant to execute n8n management calls against the operator's instance, potentially enabling them to read and write workflows, executions, data-table contents, and credential metadata. If the operator's instance permits Code-node execution with OS-level module access, this could lead to remote code execution within the operator's n8n runtime.Recommendations
Update to version 2.51.2.
As a temporary workaround, set
ENABLE MULTI TENANT to false (or unset it) and run a separate n8n-mcp instance per tenant.
As a partial mitigation, configure a proxy to reject requests that are missing either the x-n8n-url or x-n8n-key headers.
Limit the scopes of the operator's N8N API KEY to the minimum required permissions to reduce the potential impact.Exploit
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
N8N-Mcp