Information Disclosure in n8n-MCP Server by czlonkowski
CVE-2026-41495

5.3MEDIUM

Key Information:

Vendor: Czlonkowski
Status: N8n-mcp
Vendor: CVE Published:; 8 May 2026

🔔 Create Czlonkowski Vulnerability Alert

What is CVE-2026-41495?

The n8n-MCP server, which facilitates AI assistants' access to n8n's documentation and operations, exhibited a significant vulnerability prior to version 2.47.11. When operating in HTTP transport mode, the server logged metadata from incoming requests to the /mcp endpoint without regard for authentication success. This logging could lead to the unintended exposure of sensitive information, such as bearer tokens from the Authorization header, API keys in multi-tenant setups, and payloads from rejected JSON-RPC requests. Although access control mechanisms worked correctly to reject unauthenticated requests with a 401 Unauthorized response, the persistence of sensitive data in logs created potential security risks. Users are encouraged to update to version 2.47.11 to mitigate this issue.

Affected Version(s)

n8n-mcp < 2.47.11

References

https://github.com/czlonkowski/n8n-mcp/security/advisorie...

x_refsource_CONFIRM

https://github.com/czlonkowski/n8n-mcp/releases/tag/v2.47.11

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41495 Data

JSON