Telemetry Data Exposure in n8n-MCP Server from czlonkowski
CVE-2026-45582

6.5MEDIUM

Key Information:

Vendor

Czlonkowski

Status
N8n-mcp
Vendor
CVE Published:
29 May 2026

What is CVE-2026-45582?

The n8n-MCP server, designed for AI assistants, was affected by a notable issue prior to version 2.51.3, where the workflow telemetry sanitizer could inadvertently retain segments of URL-shaped node parameters. This flaw allowed sensitive information, including customer identifiers and short secrets, to be captured and stored in the telemetry database, raising significant privacy concerns. This problem has been addressed in version 2.51.3, ensuring the proper handling of sensitive data in compliance with the documented privacy boundaries.

Affected Version(s)

n8n-mcp < 2.51.3

References

https://github.com/czlonkowski/n8n-mcp/security/advisorie...
x_refsource_CONFIRM
https://github.com/czlonkowski/n8n-mcp/pull/782
x_refsource_MISC
https://github.com/czlonkowski/n8n-mcp/commit/6cf6fef653f...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.