Impact
n8n-mcp versions before 2.50.1 contained three independently-reported issues affecting deployments that run the n8n API integration:
-
Caller-supplied identifiers were not validated before being used as URL path segments by the n8n API client. An authenticated MCP caller passing a crafted workflow id could cause outbound requests carrying the configured n8n API key to land on other same-origin endpoints, bypassing handler-level access controls (including DISABLED_TOOLS).
-
Validated webhook, form, and chat trigger URLs followed redirects. A URL that passed initial validation could redirect the outbound request to a host that would otherwise have been rejected, with the response body returned to the caller. Reachable as non-blind SSRF over authenticated MCP calls.
-
Mutation telemetry stored unredacted operation payloads. On instances running with the default opt-in telemetry, partial-update operation diffs were uploaded without redaction. Operation values can carry the same node-parameter values the workflow contains, including bearer tokens, API keys, and webhook secrets.
Severity
CVSS 8.3 (HIGH). Exploitation requires an authenticated MCP caller and an n8n API integration configured with an n8n API key.
Patched versions
Upgrade to n8n-mcp >= 2.50.1.
Workarounds
- For issues (1) and (2): restrict network access to the HTTP transport (firewall, reverse-proxy ACL, or VPN) so only trusted callers can reach the MCP HTTP port; or switch to stdio mode, which exposes no HTTP surface for these issues.
- For issue (3): set
N8N_MCP_TELEMETRY_DISABLED=true in the environment before starting the server, or run npx n8n-mcp telemetry disable once.
Credit
Reported by @cybercraftsolutionsllc.
References
cybercraftsolutionsllc Reporter
Impact
n8n-mcpversions before 2.50.1 contained three independently-reported issues affecting deployments that run the n8n API integration:Caller-supplied identifiers were not validated before being used as URL path segments by the n8n API client. An authenticated MCP caller passing a crafted workflow id could cause outbound requests carrying the configured n8n API key to land on other same-origin endpoints, bypassing handler-level access controls (including
DISABLED_TOOLS).Validated webhook, form, and chat trigger URLs followed redirects. A URL that passed initial validation could redirect the outbound request to a host that would otherwise have been rejected, with the response body returned to the caller. Reachable as non-blind SSRF over authenticated MCP calls.
Mutation telemetry stored unredacted operation payloads. On instances running with the default opt-in telemetry, partial-update operation diffs were uploaded without redaction. Operation values can carry the same node-parameter values the workflow contains, including bearer tokens, API keys, and webhook secrets.
Severity
CVSS 8.3 (HIGH). Exploitation requires an authenticated MCP caller and an n8n API integration configured with an n8n API key.
Patched versions
Upgrade to
n8n-mcp >= 2.50.1.Workarounds
N8N_MCP_TELEMETRY_DISABLED=truein the environment before starting the server, or runnpx n8n-mcp telemetry disableonce.Credit
Reported by @cybercraftsolutionsllc.
References