CVE-2026-42282: N8n-mcp Information Disclosure Flaw

CVE-2026-42282 Overview

CVE-2026-42282 is a sensitive information disclosure vulnerability [CWE-532] in n8n-mcp, a Model Context Protocol (MCP) server that exposes n8n node documentation, properties, and operations to AI assistants. In versions prior to 2.47.13 running in HTTP transport mode, the request dispatcher writes full tools/call arguments and JSON-RPC params into server logs before any redaction occurs. When tool arguments carry credential material — for example n8n_manage_credentials.data — bearer tokens, OAuth credentials, API keys, and webhook authentication headers are persisted in plaintext logs. The issue affects deployments where logs are forwarded to SIEM pipelines, shared storage, or support tooling outside the request trust boundary.

Critical Impact

Authenticated callers can cause secrets passed through MCP tool arguments to be written verbatim to server logs, enabling downstream credential disclosure to anyone with log access.

Affected Products

• n8n-mcp versions prior to 2.47.13
• Deployments running n8n-mcp in HTTP transport mode
• Environments forwarding logs to external SIEM or shared storage

Discovery Timeline

• 2026-05-08 - CVE-2026-42282 published to NVD
• 2026-05-14 - Last updated in NVD database

Technical Details for CVE-2026-42282

Vulnerability Analysis

The flaw is an insertion of sensitive information into log files [CWE-532]. When n8n-mcp operates over HTTP transport, the request dispatcher and several sibling code paths construct log entries containing the entire argument object for authenticated MCP tools/call requests. The full JSON-RPC params payload reaches the logger before any field-level redaction is applied.

Tool arguments routed to n8n_manage_credentials can carry a data field containing bearer tokens, OAuth client secrets, or per-tenant API keys. Any MCP tool invocation can also embed webhook authentication headers or arbitrary secrets. Once these values reach the logger, they are persisted wherever logs are written, shipped, or indexed.

The vulnerability requires a valid AUTH_TOKEN, so unauthenticated callers cannot trigger the exposure. An existing console-silencing layer in HTTP mode reduces interactive visibility, but the upstream maintainer notes that this layer is fragile and the secret-bearing values are still constructed and passed to the logger. Exposure surfaces in any system that ingests the logs, including SIEM pipelines, shared log buckets, and operations tooling.

Root Cause

The dispatcher logs raw tool-call arguments before redaction. The patch in version 2.47.13 introduces a new helper, summarizeToolCallArgs, declared in dist/utils/redaction.d.ts, which produces a sanitized summary suitable for logging instead of the raw argument object.

Attack Vector

An authenticated caller — including a compromised AI assistant integration, a low-privilege tenant, or any party holding the AUTH_TOKEN — sends a tools/call request that includes credential material in its arguments. The dispatcher writes the unredacted payload to logs. Any actor with downstream log access then reads the secrets.

// Patch excerpt: new redaction helper introduced in v2.47.13
export declare const REDACTED = "[REDACTED]";
export declare function redactHeaders(headers: Record<string, unknown> | undefined | null): Record<string, unknown>;
export declare function summarizeMcpBody(body: unknown): Record<string, unknown>;
export declare function summarizeToolCallArgs(args: unknown): Record<string, unknown>;
// Source: https://github.com/czlonkowski/n8n-mcp/commit/59b665bda36797823df238aeaf20adb862c9f451

Detection Methods for CVE-2026-42282

Indicators of Compromise

• Log entries from n8n-mcp HTTP transport containing JSON-RPC params with non-redacted data, headers, authorization, or token fields.
• Presence of n8n_manage_credentials tool invocations in logs where the data payload appears as raw key-value pairs rather than [REDACTED].
• Unexpected outbound authentication using credentials known to have been passed through n8n-mcp, indicating possible secondary use of leaked secrets.

Detection Strategies

• Grep historical log archives for tools/call entries referencing n8n_manage_credentials and inspect the argument payload for plaintext credentials.
• Correlate SIEM ingestion sources against the n8n-mcp deployment to enumerate every system that received pre-patch logs.
• Audit access logs of log storage backends (object storage, Elasticsearch, syslog collectors) for reads of the affected time window.

Monitoring Recommendations

• Forward n8n-mcp logs to a controlled pipeline with field-level masking until the upgrade to 2.47.13 is verified.
• Alert on any new tools/call log lines that contain high-entropy strings matching token or key patterns.
• Track authentication anomalies for credentials managed through n8n-mcp to detect post-disclosure abuse.

How to Mitigate CVE-2026-42282

Immediate Actions Required

• Upgrade n8n-mcp to version 2.47.13 or later, which introduces summarizeToolCallArgs to sanitize tool-call arguments before logging.
• Rotate every credential, bearer token, OAuth secret, API key, and webhook authentication header that was passed through n8n-mcp HTTP transport prior to the upgrade.
• Purge or restrict access to historical log archives, backups, and SIEM indices that captured pre-patch traffic.

Patch Information

The fix is published in GitHub Release v2.47.13 and tracked in GitHub Security Advisory GHSA-wg4g-395p-mqv3. The code change is visible in the GitHub Commit Log, which adds a dedicated tool-call argument summarizer used by the dispatcher path.

Workarounds

• Restrict the AUTH_TOKEN to a minimal set of trusted callers and rotate it after the upgrade.
• Disable HTTP transport mode where it is not strictly required, reducing the surface that logs raw arguments.
• Apply log redaction at the collector or SIEM layer to mask data, authorization, and headers fields originating from n8n-mcp.

# Upgrade n8n-mcp to the patched release
npm install n8n-mcp@2.47.13

# Verify installed version
npm list n8n-mcp