CVE-2026-45582
MEDIUM
6,5
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: none
Availability: none
Description
AI Translation Available
n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.3, the workflow telemetry sanitizer could retain partial fragments of URL-shaped node parameters before sending workflow data to the project's anonymous telemetry backend. Values placed in HTTP-Request-style node parameters — such as customer or tenant identifiers, short secrets embedded in query strings, and signed request parameters — could therefore appear in stored telemetry, contrary to the collection boundary documented in PRIVACY.md. This vulnerability is fixed in 2.51.3.
201
Insertion of Sensitive Information Into Sent Data
DraftCommon Consequences
Security Scopes Affected:
Confidentiality
Potential Impacts:
Read Files Or Directories
Read Memory
Read Application Data
Applicable Platforms
All platforms may be affected
https://github.com/czlonkowski/n8n-mcp/commit/6cf6fef653fcd6d598f2f356aac475493…
https://github.com/czlonkowski/n8n-mcp/pull/782
https://github.com/czlonkowski/n8n-mcp/releases/tag/v2.51.3
https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-f3rg-xqjj-cj9w