CVE-2026-45582: n8n-mcp: telemetry leak exposes workflow URL secrets

GHSA-f3rg-xqjj-cj9w MEDIUM
Published May 18, 2026
CISO Take

The workflow telemetry sanitizer in n8n-mcp failed to strip partial URL-shaped node parameters—including tenant identifiers, short secrets embedded in query strings, and signed request parameters—before transmitting workflow definition data to the project's anonymous telemetry backend, silently violating the privacy boundary documented in PRIVACY.md. With a CVSS Confidentiality impact of High (AV:N/AC:L/PR:L) and 16 downstream dependents, any operator with access to the telemetry backend can reconstruct sensitive workflow configuration fragments without victim organization awareness—compounded by 82 prior CVEs in the same package and an OpenSSF Scorecard of 6.1/10, warranting elevated supply chain scrutiny beyond what the medium CVSS score alone suggests. Upgrade to n8n-mcp 2.51.3 immediately; if upgrade is not possible, disable telemetry via N8N_MCP_TELEMETRY_DISABLED=true and rotate any short secrets or signed URLs embedded in HTTP Request-style workflow node parameters.

Sources: GitHub Advisory OpenSSF NVD ATLAS

What is the risk?

Medium severity with elevated supply chain concern for AI agentic deployments. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H) indicates network-accessible, low-complexity exploitation requiring only low privileges—however, meaningful exploitation requires insider or operator-level access to the telemetry backend rather than an external attacker. The primary risk is that inadvertent data collection may already be in progress in production deployments: organizations running n8n-mcp may have been silently exposing workflow URL parameters to a third-party telemetry store without knowing it. The package's 82 prior CVEs and below-average OpenSSF Scorecard (6.1/10) elevate the supply chain risk profile materially beyond what the CVSS score communicates.

How does the attack unfold?

Unsanitized Telemetry Emission
n8n-mcp transmits workflow definition telemetry to its anonymous backend with partial URL-shaped node parameters intact, bypassing the privacy boundary documented in PRIVACY.md due to defective sanitizer logic.
AML.T0025
Silent Data Accumulation
Sensitive URL fragments—tenant IDs, signed request tokens, query-string secrets—accumulate undetected in the telemetry data store across all affected workflow deployments over time.
AML.T0036
Telemetry Backend Extraction
Adversary with operator-level access to the telemetry backend queries stored records to extract workflow URL parameter fragments from victim organizations, correlating tenant identifiers and endpoint structures.
AML.T0083
Follow-on Targeting
Extracted fragments reveal internal API endpoint structures, tenant relationships, and partial signing secrets, enabling targeted reconnaissance and credential abuse against victim AI pipeline infrastructure.
AML.T0087

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm < 2.51.3 2.51.3
194.3K OpenSSF 6.6 Pushed 6d ago 53% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1
6.5 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 18% of all CVEs
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I None
A None

What should I do?

6 steps
  1. Upgrade n8n-mcp to version 2.51.3 immediately—this is the only complete fix.

  2. If immediate upgrade is not possible, set any of the following environment variables to 'true': N8N_MCP_TELEMETRY_DISABLED, TELEMETRY_DISABLED, or DISABLE_TELEMETRY.

  3. Audit existing workflow definitions for URL-shaped parameters containing sensitive data (tenant IDs, signed URLs, query-string secrets).

  4. Rotate any short secrets or time-limited signed request parameters that may have been embedded in HTTP Request-style workflow node parameters and transmitted to telemetry.

  5. Review access controls on any telemetry infrastructure with visibility into collected workflow data.

  6. Add n8n-mcp to your third-party software inventory for ongoing CVE monitoring given the package's history of 82 prior CVEs.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 10 - Data and data governance
ISO 42001
A.9.4 - Data management for AI systems
NIST AI RMF
GOVERN 1.1 - Policies, processes, procedures, and practices across the organization related to the mapping, measuring, and managing of AI risks are in place, transparent, and implemented effectively
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-45582?

The workflow telemetry sanitizer in n8n-mcp failed to strip partial URL-shaped node parameters—including tenant identifiers, short secrets embedded in query strings, and signed request parameters—before transmitting workflow definition data to the project's anonymous telemetry backend, silently violating the privacy boundary documented in PRIVACY.md. With a CVSS Confidentiality impact of High (AV:N/AC:L/PR:L) and 16 downstream dependents, any operator with access to the telemetry backend can reconstruct sensitive workflow configuration fragments without victim organization awareness—compounded by 82 prior CVEs in the same package and an OpenSSF Scorecard of 6.1/10, warranting elevated supply chain scrutiny beyond what the medium CVSS score alone suggests. Upgrade to n8n-mcp 2.51.3 immediately; if upgrade is not possible, disable telemetry via N8N_MCP_TELEMETRY_DISABLED=true and rotate any short secrets or signed URLs embedded in HTTP Request-style workflow node parameters.

Is CVE-2026-45582 actively exploited?

No confirmed active exploitation of CVE-2026-45582 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45582?

1. Upgrade n8n-mcp to version 2.51.3 immediately—this is the only complete fix. 2. If immediate upgrade is not possible, set any of the following environment variables to 'true': N8N_MCP_TELEMETRY_DISABLED, TELEMETRY_DISABLED, or DISABLE_TELEMETRY. 3. Audit existing workflow definitions for URL-shaped parameters containing sensitive data (tenant IDs, signed URLs, query-string secrets). 4. Rotate any short secrets or time-limited signed request parameters that may have been embedded in HTTP Request-style workflow node parameters and transmitted to telemetry. 5. Review access controls on any telemetry infrastructure with visibility into collected workflow data. 6. Add n8n-mcp to your third-party software inventory for ongoing CVE monitoring given the package's history of 82 prior CVEs.

What systems are affected by CVE-2026-45582?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow automation, MCP server integrations, multi-tenant AI orchestration pipelines.

What is the CVSS score for CVE-2026-45582?

CVE-2026-45582 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.26%.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI workflow automationMCP server integrationsmulti-tenant AI orchestration pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0025 Exfiltration via Cyber Means
AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 10
ISO 42001: A.9.4
NIST AI RMF: GOVERN 1.1
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.3, the workflow telemetry sanitizer could retain partial fragments of URL-shaped node parameters before sending workflow data to the project's anonymous telemetry backend. Values placed in HTTP-Request-style node parameters — such as customer or tenant identifiers, short secrets embedded in query strings, and signed request parameters — could therefore appear in stored telemetry, contrary to the collection boundary documented in PRIVACY.md. This vulnerability is fixed in 2.51.3.

Exploitation Scenario

A malicious insider or rogue operator with access to the n8n-mcp project's telemetry backend queries stored telemetry records to extract partial URL parameters from victim organizations' workflow definitions. For example, an enterprise using n8n-mcp to automate AI-powered CRM workflows passes customer tenant IDs and short-lived signed S3 URLs as query parameters in HTTP Request nodes—these fragments appear verbatim in collected telemetry. The attacker correlates tenant ID fragments with known customer lists to map the victim's customer base, or uses partial signed URL patterns to infer internal storage bucket naming conventions and endpoint structure, enabling targeted follow-on reconnaissance against the victim's AI pipeline infrastructure.

Weaknesses (CWE)

CWE-201 — Insertion of Sensitive Information Into Sent Data: The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

  • [Requirements] Specify which data in the software should be regarded as sensitive. Consider which types of users should have access to which types of data.
  • [Implementation] Ensure that any possibly sensitive data specified in the requirements is verified with designers to ensure that it is either a calculated risk or mitigated elsewhere. Any information that is not necessary to the functionality should be removed in order to lower both the overhead and the possibility of security sensitive data being sent.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Timeline

Published
May 18, 2026
Last Modified
May 29, 2026
First Seen
May 18, 2026

Related Vulnerabilities