## Summary In multi-tenant HTTP mode (`ENABLE_MULTI_TENANT=true`), an authenticated tenant could, under certain conditions, reach n8n-mcp's local default-scope `workflow_versions` backups instead of being confined to its own tenant scope. This affects n8n-mcp's own local workflow-version storage,...
Full CISO analysis pending enrichment.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| n8n | npm | <= 2.57.3 | 2.57.4 |
Do you use n8n? You're affected.
How severe is it?
What is the attack surface?
What should I do?
Patch available
Update n8n to version 2.57.4
Which compliance frameworks are affected?
Compliance analysis pending. Sign in for full compliance mapping when available.
Frequently Asked Questions
What is CVE-2026-55608?
## Summary In multi-tenant HTTP mode (`ENABLE_MULTI_TENANT=true`), an authenticated tenant could, under certain conditions, reach n8n-mcp's local default-scope `workflow_versions` backups instead of being confined to its own tenant scope. This affects n8n-mcp's own local workflow-version storage, not a normal n8n API capability. ## Impact An authenticated MCP HTTP tenant could read or delete workflow-version backups stored in the default (single-tenant) scope — for example backups left from a prior single-tenant deployment or a migration period. Workflow snapshots may contain sensitive workflow configuration depending on their contents. Single-tenant and stdio deployments are not affected. ## Affected versions `<= 2.57.3` ## Patched version `2.57.4` ## Remediation Upgrade to n8n-mcp `2.57.4` or later. The fix requires a complete tenant context in multi-tenant mode and fails closed for workflow-version access that cannot be attributed to a specific tenant. ## Workarounds - Restrict network access to the HTTP endpoint (firewall / reverse proxy / VPN) so only trusted callers can reach it. - Run in stdio mode, which has no multi-tenant HTTP surface. - If default-scope backups from a prior single-tenant deployment are not needed, removing them eliminates the exposure. ## Credit Reported by @DavidCarliez.
Is CVE-2026-55608 actively exploited?
No confirmed active exploitation of CVE-2026-55608 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-55608?
Update to patched version: n8n 2.57.4.
What is the CVSS score for CVE-2026-55608?
CVE-2026-55608 has a CVSS v3.1 base score of 4.2 (MEDIUM).
What are the technical details?
Original Advisory
## Summary In multi-tenant HTTP mode (`ENABLE_MULTI_TENANT=true`), an authenticated tenant could, under certain conditions, reach n8n-mcp's local default-scope `workflow_versions` backups instead of being confined to its own tenant scope. This affects n8n-mcp's own local workflow-version storage, not a normal n8n API capability. ## Impact An authenticated MCP HTTP tenant could read or delete workflow-version backups stored in the default (single-tenant) scope — for example backups left from a prior single-tenant deployment or a migration period. Workflow snapshots may contain sensitive workflow configuration depending on their contents. Single-tenant and stdio deployments are not affected. ## Affected versions `<= 2.57.3` ## Patched version `2.57.4` ## Remediation Upgrade to n8n-mcp `2.57.4` or later. The fix requires a complete tenant context in multi-tenant mode and fails closed for workflow-version access that cannot be attributed to a specific tenant. ## Workarounds - Restrict network access to the HTTP endpoint (firewall / reverse proxy / VPN) so only trusted callers can reach it. - Run in stdio mode, which has no multi-tenant HTTP surface. - If default-scope backups from a prior single-tenant deployment are not needed, removing them eliminates the exposure. ## Credit Reported by @DavidCarliez.
Weaknesses (CWE)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Primary
CWE-863 Incorrect Authorization
Primary
CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
- [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N References
Timeline
Related Vulnerabilities
CVE-2026-33663 10.0 n8n: member role steals plaintext HTTP credentials
Same package: n8n CVE-2026-33660 10.0 TensorFlow: type confusion NPD in tensor conversion
Same package: n8n CVE-2026-21858 10.0 n8n: Input Validation flaw enables exploitation
Same package: n8n CVE-2026-27495 9.9 n8n: Code Injection enables RCE
Same package: n8n CVE-2026-27577 9.9 n8n: Code Injection enables RCE
Same package: n8n