MEDIUM 6.5

CVE-2026-45582: n8n-MCP Telemetry Data Leakage (MEDIUM)

n8n-MCP, an AI assistant integration layer for the n8n workflow automation platform, fails to fully sanitize sensitive data before transmitting workflow information to its telemetry backend. The flaw allows fragments of URLs and embedded credentials—such as API keys, tenant IDs, and signed request parameters—to leak into the project's anonymous telemetry collection. This occurs when users configure HTTP-Request-style nodes with sensitive parameters in their URLs. The vulnerability affects versions before 2.51.3, where the telemetry sanitizer was enhanced to properly redact these values before transmission.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-201
Affected products
1 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.3, the workflow telemetry sanitizer could retain partial fragments of URL-shaped node parameters before sending workflow data to the project's anonymous telemetry backend. Values placed in HTTP-Request-style node parameters — such as customer or tenant identifiers, short secrets embedded in query strings, and signed request parameters — could therefore appear in stored telemetry, contrary to the collection boundary documented in PRIVACY.md. This vulnerability is fixed in 2.51.3.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in n8n-MCP's workflow telemetry sanitizer (CWE-201: Exposure of Sensitive Information to an Unauthorized Actor). When workflow data is prepared for transmission to the telemetry backend, the sanitization logic fails to identify and remove URL-shaped parameters commonly placed in HTTP-Request node configurations. Sensitive values—including customer identifiers, short-form secrets embedded in query strings, and cryptographic signatures—persist through the sanitization process and are transmitted alongside anonymized workflow metadata. The sanitizer's incomplete pattern matching or scope allows these fragments to reach the remote telemetry endpoint, violating the privacy boundary documented in the project's PRIVACY.md file. Version 2.51.3 introduces improved sanitization logic to detect and remove these parameter patterns before telemetry submission.

Business impact

This vulnerability creates a data leakage risk for organizations using n8n-MCP to integrate AI assistants with n8n workflows. Depending on what credentials or identifiers are embedded in HTTP request configurations, leaked telemetry could expose tenant identifiers for multi-tenant SaaS platforms, short-lived API tokens, OAuth bearer tokens, or signed request parameters used for inter-service authentication. While the leaked data is sent to the project's own telemetry backend rather than public channels, unauthorized access to that backend or a data breach affecting it could expose sensitive customer or system identifiers. Organizations relying on HTTP-Request nodes for API authentication or multi-tenant routing should treat this as a configuration risk that impacts both compliance (GDPR, CCPA data minimization) and operational security.

Affected systems

n8n-MCP versions prior to 2.51.3 are affected. This includes all workflows configured with HTTP-Request-style nodes that place sensitive values (API keys, tokens, identifiers, or signatures) in URL parameters or query strings. The exposure affects any organization using n8n-MCP as an AI assistant integration bridge where workflow data is sent to telemetry. Versions 2.51.3 and later include the fixed sanitizer and are not affected by this issue.

Exploitability

This vulnerability requires authenticated access to n8n-MCP and does not require user interaction or special network conditions (CVSS vector AV:N/AC:L/PR:L). An authenticated user cannot directly exploit the leak—the leak occurs passively during normal telemetry collection. However, an attacker with access to the telemetry backend itself, or one who monitors network traffic between n8n-MCP and the telemetry endpoint, could observe the leaked fragments. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no evidence of active exploitation in the wild to date.

Remediation

Upgrade n8n-MCP to version 2.51.3 or later to receive the enhanced telemetry sanitizer. As an interim mitigation, review all HTTP-Request nodes in your workflows and refactor them to avoid embedding secrets or identifiers directly in URLs; instead, use n8n's credential management system to store and reference sensitive values separately. Additionally, verify that your n8n-MCP deployment does not expose the telemetry endpoint to unauthorized network access, and audit any existing telemetry logs for evidence of sensitive data transmission.

Patch guidance

Update n8n-MCP to version 2.51.3 as soon as practical. This patch introduces sanitization improvements specifically designed to detect and remove URL-shaped parameter patterns before telemetry transmission. Verify compatibility with your current n8n instance version and AI assistant integrations before deploying to production. No breaking changes are documented for this release; it is a security-focused patch.

Detection guidance

Monitor n8n-MCP telemetry logs and network traffic for patterns indicating sensitive data leakage. Look for HTTP request URLs containing query parameters with characteristic secret or token patterns (bearer tokens, API keys, signed parameters with timestamps). Enable detailed workflow auditing in n8n to track which HTTP-Request nodes are actively transmitting data. Review workflow configurations to identify nodes that embed credentials or identifiers in URLs, and cross-reference them against recent telemetry submissions. Organizations with network monitoring can inspect outbound traffic from n8n-MCP to its telemetry endpoint for evidence of unredacted sensitive values.

Why prioritize this

This vulnerability merits prompt but not emergency remediation. The CVSS 6.5 MEDIUM score reflects the requirement for authentication and the confidentiality impact (C:H). Prioritization depends on your risk tolerance for credential exposure via telemetry: if your workflows embed production API keys or tenant identifiers in URLs, treat this as a higher priority; if credentials are managed separately and URLs contain only non-critical identifiers, lower priority is justified. The lack of active exploitation (KEV status: false) suggests no immediate threat actor activity, allowing time for measured patching.

Risk score, explained

The CVSS 6.5 score (MEDIUM) is driven by three factors: (1) Network-accessible attack vector (AV:N) reflecting that exploitation could occur via telemetry transmission over the network; (2) Low attack complexity (AC:L) because the telemetry sanitizer fails consistently on URL-shaped parameters; (3) Requirement for authentication (PR:L), meaning only authenticated n8n-MCP users can trigger workflow telemetry submission. The impact is high confidentiality (C:H) due to potential exposure of credentials and identifiers, with no integrity or availability impact (I:N/A:N). The score does not account for organizational factors like whether sensitive data is actually present in your workflows.

Frequently asked questions

Could an attacker remotely force my workflow telemetry to leak sensitive data?

No. The leak occurs automatically during normal telemetry collection when n8n-MCP sends workflow metadata. You cannot be forced to leak data by an external actor; the risk is limited to authenticated users whose workflows contain secrets in URL parameters. However, if an attacker gains access to your n8n-MCP credentials or the telemetry backend, they could observe previously leaked fragments.

Do I need to rotate credentials if I was using a version prior to 2.51.3?

If you embedded API keys, tokens, or secrets in HTTP-Request node URLs, and those credentials are still active, consider rotating them as a precaution. Review your telemetry logs (if accessible) to confirm whether sensitive data was actually transmitted. If you used n8n's credential management system instead of embedding secrets in URLs, your credentials were not at risk.

Will upgrading to 2.51.3 delete or sanitize previously leaked telemetry data?

No. The upgrade patches the forward-looking sanitizer to prevent future leaks. Existing telemetry data that already contains sensitive fragments will not be retroactively cleaned. You should work with n8n to determine retention policies and whether historical telemetry logs can be purged or archived.

Is this vulnerability active on the CISA KEV list?

No. As of the advisory date, this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, meaning no confirmed active exploitation by threat actors has been reported. This does not mean the vulnerability is insignificant—it reflects the current threat landscape.

This analysis is based on the CVE-2026-45582 advisory published on 2026-05-29 and modified 2026-06-17. CVSS scores and vector strings are derived from the official CVE record and should not be modified without reference to the NVD or MITRE. No exploit code or detailed weaponization steps are provided. Patch version numbers and remediation guidance should be verified against official n8n project advisories and release notes. This material is for informational purposes and does not constitute professional security advice; organizations should conduct their own risk assessment based on their specific deployment and data sensitivity. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).