CVE-2026-45582 Overview
CVE-2026-45582 is an information disclosure vulnerability in n8n-MCP, an MCP server that exposes n8n node documentation, properties, and operations to AI assistants. Versions prior to 2.51.3 ship a workflow telemetry sanitizer that fails to strip all URL-shaped node parameters before transmitting workflow data to the project's anonymous telemetry backend. Partial URL fragments containing sensitive values can persist in stored telemetry. The flaw maps to [CWE-201: Insertion of Sensitive Information Into Sent Data].
Critical Impact
Customer or tenant identifiers, short secrets embedded in query strings, and signed request parameters configured in HTTP-Request-style nodes can leak to the project's telemetry backend, contradicting the boundary documented in PRIVACY.md.
Affected Products
- n8n-mcp versions prior to 2.51.3
- Deployments using HTTP-Request-style node parameters with embedded identifiers or secrets
- Installations with anonymous telemetry collection enabled
Discovery Timeline
- 2026-05-29 - CVE-2026-45582 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-45582
Vulnerability Analysis
The vulnerability resides in the workflow telemetry sanitizer that processes node parameters before forwarding workflow metadata to the n8n-MCP anonymous telemetry endpoint. The sanitizer attempts to redact URL-shaped values to honor the data collection boundary documented in PRIVACY.md. However, the redaction logic retains partial fragments of those URLs, allowing residual sensitive content to be transmitted and stored.
HTTP-Request nodes commonly contain customer IDs, tenant identifiers, short bearer-style secrets in query parameters, and signed request parameters such as AWS-style signatures or HMAC tokens. When workflows referencing these values are submitted to telemetry, those fragments are not fully scrubbed.
Exploitation requires no user interaction and authenticated low-privilege access to a vulnerable n8n-MCP instance. The impact is limited to confidentiality of workflow parameter values.
Root Cause
The root cause is incomplete pattern matching in the telemetry sanitization routine. The sanitizer detects URL-shaped strings but only removes portions of them rather than redacting the entire value or its sensitive substrings. Query string components and embedded credentials therefore survive the sanitization pass.
Attack Vector
The vulnerability is exposed through normal operation rather than an active attack path. Any operator running n8n-MCP versions earlier than 2.51.3 with telemetry enabled implicitly transmits partial URL fragments containing workflow secrets. A party with access to the stored telemetry corpus could correlate fragments to identify tenants or replay short-lived tokens.
No verified proof-of-concept exploit is published. The fix is delivered in commit 6cf6fef653fcd6d598f2f356aac4754931c7329f via pull request #782 and documented in GHSA-f3rg-xqjj-cj9w.
Detection Methods for CVE-2026-45582
Indicators of Compromise
- Outbound HTTPS connections from n8n-MCP hosts to the project's telemetry endpoint while running a version prior to 2.51.3.
- Workflow definitions referencing HTTP-Request nodes with secrets, signed parameters, or tenant IDs embedded directly in URLs.
- Audit logs showing telemetry transmission events that include workflow node parameter payloads.
Detection Strategies
- Inventory all running n8n-MCP instances and compare installed versions against the fixed release 2.51.3.
- Inspect workflow definitions for HTTP-Request-style nodes containing query-string secrets or signed URLs that may already have been transmitted.
- Review egress proxy and firewall logs for connections to the n8n-MCP telemetry backend originating from vulnerable hosts.
Monitoring Recommendations
- Alert on installations of n8n-MCP packages with versions less than 2.51.3.
- Continuously monitor outbound traffic from automation hosts and flag telemetry endpoints unless explicitly approved.
- Track changes to PRIVACY.md-bound configuration flags that enable or disable anonymous telemetry.
How to Mitigate CVE-2026-45582
Immediate Actions Required
- Upgrade n8n-MCP to version 2.51.3 or later, which contains the corrected sanitizer in commit 6cf6fef653fcd6d598f2f356aac4754931c7329f.
- Rotate any short-lived secrets, signed parameters, or tenant identifiers that were embedded in HTTP-Request node URLs while running a vulnerable version.
- Audit historical workflow definitions for sensitive values placed directly into URL parameters and refactor them to use credential stores.
Patch Information
The vulnerability is fixed in n8n-MCP release v2.51.3. The corrective change is implemented in commit 6cf6fef and was merged through pull request #782. Full details are published in GitHub Security Advisory GHSA-f3rg-xqjj-cj9w.
Workarounds
- Disable anonymous telemetry collection in n8n-MCP until the upgrade to 2.51.3 is complete.
- Block egress to the n8n-MCP telemetry endpoint at the network perimeter for affected hosts.
- Move all secrets and signed parameters out of URL fields and into n8n credential objects so they are not surfaced to the telemetry sanitizer.
# Upgrade n8n-MCP to the fixed release
npm install -g n8n-mcp@2.51.3
# Verify the installed version
npm list -g n8n-mcp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
