CVE-2026-45582 — MEDIUM (CVSS 6.5)

Q: Is CVE-2026-45582 actively exploited?

No confirmed active exploitation of CVE-2026-45582 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-45582?

1. Upgrade n8n-mcp to version 2.51.3 immediately—this is the only complete fix. 2. If immediate upgrade is not possible, set any of the following environment variables to 'true': N8N_MCP_TELEMETRY_DISABLED, TELEMETRY_DISABLED, or DISABLE_TELEMETRY. 3. Audit existing workflow definitions for URL-shaped parameters containing sensitive data (tenant IDs, signed URLs, query-string secrets). 4. Rotate any short secrets or time-limited signed request parameters that may have been embedded in HTTP Request-style workflow node parameters and transmitted to telemetry. 5. Review access controls on any telemetry infrastructure with visibility into collected workflow data. 6. Add n8n-mcp to your third-party software inventory for ongoing CVE monitoring given the package's history of 82 prior CVEs.

Q: What systems are affected by CVE-2026-45582?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow automation, MCP server integrations, multi-tenant AI orchestration pipelines.

Q: What is the CVSS score for CVE-2026-45582?

CVE-2026-45582 has a CVSS v3.1 base score of 6.5 (MEDIUM).

CISO Take

The workflow telemetry sanitizer in n8n-mcp failed to strip partial URL-shaped node parameters—including tenant identifiers, short secrets embedded in query strings, and signed request parameters—before transmitting workflow definition data to the project's anonymous telemetry backend, silently violating the privacy boundary documented in PRIVACY.md. With a CVSS Confidentiality impact of High (AV:N/AC:L/PR:L) and 16 downstream dependents, any operator with access to the telemetry backend can reconstruct sensitive workflow configuration fragments without victim organization awareness—compounded by 82 prior CVEs in the same package and an OpenSSF Scorecard of 6.1/10, warranting elevated supply chain scrutiny beyond what the medium CVSS score alone suggests. Upgrade to n8n-mcp 2.51.3 immediately; if upgrade is not possible, disable telemetry via N8N_MCP_TELEMETRY_DISABLED=true and rotate any short secrets or signed URLs embedded in HTTP Request-style workflow node parameters.

Sources: GitHub Advisory OpenSSF NVD ATLAS

What is the risk?

Medium severity with elevated supply chain concern for AI agentic deployments. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H) indicates network-accessible, low-complexity exploitation requiring only low privileges—however, meaningful exploitation requires insider or operator-level access to the telemetry backend rather than an external attacker. The primary risk is that inadvertent data collection may already be in progress in production deployments: organizations running n8n-mcp may have been silently exposing workflow URL parameters to a third-party telemetry store without knowing it. The package's 82 prior CVEs and below-average OpenSSF Scorecard (6.1/10) elevate the supply chain risk profile materially beyond what the CVSS score communicates.

Attack Kill Chain

Unsanitized Telemetry Emission

n8n-mcp transmits workflow definition telemetry to its anonymous backend with partial URL-shaped node parameters intact, bypassing the privacy boundary documented in PRIVACY.md due to defective sanitizer logic.

AML.T0025

Silent Data Accumulation

Sensitive URL fragments—tenant IDs, signed request tokens, query-string secrets—accumulate undetected in the telemetry data store across all affected workflow deployments over time.

AML.T0036

Telemetry Backend Extraction

Adversary with operator-level access to the telemetry backend queries stored records to extract workflow URL parameter fragments from victim organizations, correlating tenant identifiers and endpoint structures.

AML.T0083

Follow-on Targeting

Extracted fragments reveal internal API endpoint structures, tenant relationships, and partial signing secrets, enabling targeted reconnaissance and credential abuse against victim AI pipeline infrastructure.

AML.T0087

Unsanitized Telemetry Emission

n8n-mcp transmits workflow definition telemetry to its anonymous backend with partial URL-shaped node parameters intact, bypassing the privacy boundary documented in PRIVACY.md due to defective sanitizer logic.

AML.T0025

Silent Data Accumulation

Sensitive URL fragments—tenant IDs, signed request tokens, query-string secrets—accumulate undetected in the telemetry data store across all affected workflow deployments over time.

AML.T0036

Telemetry Backend Extraction

Adversary with operator-level access to the telemetry backend queries stored records to extract workflow URL parameter fragments from victim organizations, correlating tenant identifiers and endpoint structures.

AML.T0083

Follow-on Targeting

Extracted fragments reveal internal API endpoint structures, tenant relationships, and partial signing secrets, enabling targeted reconnaissance and credential abuse against victim AI pipeline infrastructure.

AML.T0087

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n-mcp	npm	< 2.51.3	`2.51.3`
188.2K OpenSSF 6.1 16 dependents Pushed 3d ago 45% patched ~3d to patch Full package profile →

Do you use n8n-mcp? You're affected.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I None

A None

What should I do?

6 steps

Upgrade n8n-mcp to version 2.51.3 immediately—this is the only complete fix.
If immediate upgrade is not possible, set any of the following environment variables to 'true': N8N_MCP_TELEMETRY_DISABLED, TELEMETRY_DISABLED, or DISABLE_TELEMETRY.
Audit existing workflow definitions for URL-shaped parameters containing sensitive data (tenant IDs, signed URLs, query-string secrets).
Rotate any short secrets or time-limited signed request parameters that may have been embedded in HTTP Request-style workflow node parameters and transmitted to telemetry.
Review access controls on any telemetry infrastructure with visibility into collected workflow data.
Add n8n-mcp to your third-party software inventory for ongoing CVE monitoring given the package's history of 82 prior CVEs.

Classification

Data Leakage Privacy Violation Agent Plugin AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0083 - Credentials from AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 10 - Data and data governance

ISO 42001

A.9.4 - Data management for AI systems

NIST AI RMF

GOVERN 1.1 - Policies, processes, procedures, and practices across the organization related to the mapping, measuring, and managing of AI risks are in place, transparent, and implemented effectively

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-45582?

The workflow telemetry sanitizer in n8n-mcp failed to strip partial URL-shaped node parameters—including tenant identifiers, short secrets embedded in query strings, and signed request parameters—before transmitting workflow definition data to the project's anonymous telemetry backend, silently violating the privacy boundary documented in PRIVACY.md. With a CVSS Confidentiality impact of High (AV:N/AC:L/PR:L) and 16 downstream dependents, any operator with access to the telemetry backend can reconstruct sensitive workflow configuration fragments without victim organization awareness—compounded by 82 prior CVEs in the same package and an OpenSSF Scorecard of 6.1/10, warranting elevated supply chain scrutiny beyond what the medium CVSS score alone suggests. Upgrade to n8n-mcp 2.51.3 immediately; if upgrade is not possible, disable telemetry via N8N_MCP_TELEMETRY_DISABLED=true and rotate any short secrets or signed URLs embedded in HTTP Request-style workflow node parameters.

Is CVE-2026-45582 actively exploited?

No confirmed active exploitation of CVE-2026-45582 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45582?

1. Upgrade n8n-mcp to version 2.51.3 immediately—this is the only complete fix. 2. If immediate upgrade is not possible, set any of the following environment variables to 'true': N8N_MCP_TELEMETRY_DISABLED, TELEMETRY_DISABLED, or DISABLE_TELEMETRY. 3. Audit existing workflow definitions for URL-shaped parameters containing sensitive data (tenant IDs, signed URLs, query-string secrets). 4. Rotate any short secrets or time-limited signed request parameters that may have been embedded in HTTP Request-style workflow node parameters and transmitted to telemetry. 5. Review access controls on any telemetry infrastructure with visibility into collected workflow data. 6. Add n8n-mcp to your third-party software inventory for ongoing CVE monitoring given the package's history of 82 prior CVEs.

What systems are affected by CVE-2026-45582?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow automation, MCP server integrations, multi-tenant AI orchestration pipelines.

What is the CVSS score for CVE-2026-45582?

CVE-2026-45582 has a CVSS v3.1 base score of 6.5 (MEDIUM).

Technical Details

NVD Description

## Summary In affected versions of n8n-mcp, the workflow telemetry sanitizer could retain partial fragments of URL-shaped node parameters before sending workflow data to the project's anonymous telemetry backend. Values placed in HTTP-Request-style node parameters — such as customer or tenant identifiers, short secrets embedded in query strings, and signed request parameters — could therefore appear in stored telemetry, contrary to the collection boundary documented in `PRIVACY.md`. ## Impact Operators with access to the project's telemetry backend could read partial fragments of workflow URL parameters that should not have been collected. The bug was scoped to URL-shaped fields in workflow *definitions*; credentials, OAuth tokens, and workflow *execution* data are not affected — credentials are removed by a separate code path, and long secrets and known-provider tokens are matched by dedicated patterns. ## Patches Fixed in **n8n-mcp `2.51.3`**. Upgrading is the recommended remediation. ## Workarounds For users who cannot upgrade immediately, disable anonymous telemetry by setting any of these environment variables to `true`: - `N8N_MCP_TELEMETRY_DISABLED` - `TELEMETRY_DISABLED` - `DISABLE_TELEMETRY` ## Credit Reported by @u-ktdi.

Exploitation Scenario

A malicious insider or rogue operator with access to the n8n-mcp project's telemetry backend queries stored telemetry records to extract partial URL parameters from victim organizations' workflow definitions. For example, an enterprise using n8n-mcp to automate AI-powered CRM workflows passes customer tenant IDs and short-lived signed S3 URLs as query parameters in HTTP Request nodes—these fragments appear verbatim in collected telemetry. The attacker correlates tenant ID fragments with known customer lists to map the victim's customer base, or uses partial signed URL patterns to infer internal storage bucket naming conventions and endpoint structure, enabling targeted follow-on reconnaissance against the victim's AI pipeline infrastructure.