CVE-2026-41495 Overview
CVE-2026-41495 is an information disclosure vulnerability in n8n-MCP, an MCP server that exposes n8n node documentation, properties, and operations to AI assistants. Versions prior to 2.47.11 write incoming request metadata for the POST /mcp endpoint to server logs regardless of authentication outcome. The logged data can include bearer tokens from the Authorization header, per-tenant API keys from the x-n8n-key header, and JSON-RPC payloads. The flaw is classified under CWE-532: Insertion of Sensitive Information into Log File. The maintainer addressed the issue in version 2.47.11.
Critical Impact
Sensitive authentication material and JSON-RPC payloads from rejected and accepted requests can be persisted in logs that may be accessible to SIEM pipelines, shared log storage, or support personnel outside the original trust boundary.
Affected Products
- n8n-mcp versions prior to 2.47.11
- HTTP transport mode deployments of n8n-mcp
- Multi-tenant n8n-mcp setups using x-n8n-key headers
Discovery Timeline
- 2026-05-08 - CVE-2026-41495 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-41495
Vulnerability Analysis
The vulnerability resides in the HTTP transport layer of n8n-mcp. When the server receives a request on the POST /mcp endpoint, it writes request metadata to its log stream before, or independent of, the authentication outcome. Access control itself functions correctly — unauthenticated callers receive a 401 Unauthorized response. However, the metadata associated with those rejected requests is still written to logs.
In deployments where logs are aggregated by SIEM platforms, forwarded to centralized storage, or read by operations staff, this behavior shifts sensitive material outside the request's intended trust boundary. An attacker with read access to logs can harvest valid bearer tokens, tenant API keys, and the contents of JSON-RPC calls submitted to the MCP endpoint.
Root Cause
The root cause is overly permissive logging behavior in the request pipeline. The HTTP handler logs full request metadata, including header values such as Authorization and x-n8n-key, without redaction or filtering. Because authentication failure does not suppress logging, even attacker-supplied or accidentally-sent secrets reach persistent storage. This pattern matches the conditions described in CWE-532.
Attack Vector
Exploitation requires read access to n8n-mcp server logs or any downstream system that ingests them. Network attackers do not directly trigger disclosure, but legitimate clients that submit valid tokens leak those secrets into logs as a side effect of normal operation. Anyone with access to the log destination — including support staff, contractors, SIEM operators, or an attacker who has breached log infrastructure — can extract credentials and replay them against the MCP endpoint.
No verified public exploit code is available. See the GitHub Security Advisory GHSA-pfm2-2mhg-8wpx for maintainer-provided technical details.
Detection Methods for CVE-2026-41495
Indicators of Compromise
- Log entries from the POST /mcp endpoint containing Authorization: Bearer values or x-n8n-key header content.
- Presence of JSON-RPC request payloads inside n8n-mcp HTTP access or application logs.
- Repeated 401 Unauthorized responses paired with header metadata in log lines, indicating credential-bearing requests are being persisted.
Detection Strategies
- Search historical log archives for the strings Authorization, Bearer , and x-n8n-key scoped to n8n-mcp log sources.
- Audit SIEM ingestion pipelines to identify which downstream indexes received n8n-mcp request logs prior to upgrading.
- Compare deployed n8n-mcp versions against the fixed release 2.47.11 using package manifests or container image tags.
Monitoring Recommendations
- Alert on any log line from n8n-mcp components that contains authorization header patterns after the patch is applied.
- Monitor MCP endpoint usage for anomalous client behavior consistent with replayed bearer tokens or tenant API keys.
- Track access to log storage backends and SIEM indexes that previously held n8n-mcp request data.
How to Mitigate CVE-2026-41495
Immediate Actions Required
- Upgrade n8n-mcp to version 2.47.11 or later as documented in the GitHub Release v2.47.11.
- Rotate all bearer tokens and per-tenant x-n8n-key API keys that were used against affected deployments.
- Purge or restrict access to historical logs that may contain exposed credentials and JSON-RPC payloads.
Patch Information
The maintainer released the fix in n8n-mcp version 2.47.11. Details are published in the GitHub Security Advisory GHSA-pfm2-2mhg-8wpx and the v2.47.11 release notes. Operators should validate that all running instances, container images, and infrastructure-as-code references point to the patched version.
Workarounds
- If immediate upgrade is not possible, restrict the n8n-mcp HTTP transport endpoint to trusted networks only and limit which operators can read its logs.
- Configure log forwarders to redact Authorization and x-n8n-key headers before logs leave the host.
- Reduce log verbosity for the request pipeline so request metadata is not written for POST /mcp traffic until the upgrade is in place.
# Upgrade n8n-mcp to the patched release
npm install n8n-mcp@2.47.11
# Verify installed version
npm list n8n-mcp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
