CVE-2026-45707: n8n-mcp: tenant isolation bypass, operator RCE risk

## Summary When `ENABLE_MULTI_TENANT=true`, the HTTP transport documents that the target n8n instance is selected per-request from `x-n8n-url` / `x-n8n-key` headers. Requests that omitted those headers — or supplied only one of them — silently fell back to the process-level `N8N_API_URL` / `N8N_API_KEY` credentials configured for the operator's own n8n instance. As a result, an authenticated MCP tenant could cause n8n management calls to execute against the operator's instance instead of its own. This affects HTTP-mode deployments of `n8n-mcp` that are run as a shared multi-tenant service. Single-tenant deployments (`ENABLE_MULTI_TENANT` unset or `false`) are not affected. ## Impact An authenticated MCP tenant exploiting this path could read and write workflows, executions, data-table contents, and credential metadata on the operator's n8n instance. If the operator's n8n permits Code-node execution that reaches OS-level modules, the path could escalate to remote code execution inside the operator's n8n runtime. The process-level `N8N_API_KEY` is, in practice, a high-privilege key — Community Edition keys are unscoped by default, and even Enterprise scopes were configured for the operator's own needs and would carry over wholesale to a tenant who triggered the fallback. ## Patches Fixed in **n8n-mcp 2.51.2**. The fix: - Rejects header-less multi-tenant requests at the HTTP edge with HTTP 400 / JSON-RPC `-32602` before any handler runs. - Refuses to construct an env-credential n8n API client when `ENABLE_MULTI_TENANT=true`. - Closes secondary leak paths in trigger handlers and in the responses of `n8n_health_check`, `n8n_diagnostic`, `n8n_deploy_template`, and `n8n_audit_instance` so the operator's URL and env-key indicator are not surfaced to tenants. Single-tenant behavior is unchanged. ## Upgrade ```bash # NPM npx n8n-mcp@latest # Docker docker pull ghcr.io/czlonkowski/n8n-mcp:latest ``` ## Workarounds If an immediate upgrade is not possible, any one of the following reduces or eliminates exposure: - **Disable multi-tenant mode.** Set `ENABLE_MULTI_TENANT=false` (or unset it) and run a separate n8n-mcp instance per tenant with that tenant's own `N8N_API_URL` / `N8N_API_KEY`. This removes the affected code path entirely. - **Reject malformed requests at a proxy.** Require both `x-n8n-url` and `x-n8n-key` headers on every request and return 400 if either is missing. Neutralizes the primary header-omission path but does not address the secondary response-shape disclosures, so this is a partial mitigation only. - **Reduce the blast radius of the operator API key.** If your n8n instance supports API key scoping (Enterprise, or a Community Edition build that exposes scopes), provision the operator's `N8N_API_KEY` with the minimum scopes required for the operator's own n8n-mcp functions. This does not close the boundary break but limits what a falling-back tenant can do. ## Credit Reported by [@u-ktdi](https://github.com/u-ktdi).

An adversary registers as a legitimate tenant on a shared n8n-mcp HTTP service (ENABLE_MULTI_TENANT=true). They craft MCP HTTP requests deliberately omitting the x-n8n-url and x-n8n-key headers. The unpatched server receives header-incomplete requests and silently falls back to the operator's process-level N8N_API_URL and N8N_API_KEY. All subsequent n8n management calls execute against the operator's n8n instance — the adversary enumerates all workflows, reads stored credential metadata (LLM API keys, SaaS OAuth tokens, database passwords), and exfiltrates execution history. If Code-node execution is enabled with OS-level module access, the adversary deploys a malicious workflow containing a Node.js Code node that spawns a reverse shell, achieving persistent RCE in the operator's environment with no additional steps.