GHSA-75hx-xj24-mqrw — HIGH (CVSS 8.2) AI Security Vulnerability

Q: Is GHSA-75hx-xj24-mqrw actively exploited?

No confirmed active exploitation of GHSA-75hx-xj24-mqrw has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-75hx-xj24-mqrw?

1. **Patch immediately**: Upgrade n8n-mcp to v2.47.6 — all MCP session endpoints now require Bearer token authentication and the health check returns minimal liveness data only. 2. **Network restriction (if patching is delayed)**: Apply firewall rules or reverse proxy IP allowlists so only trusted clients reach the n8n-mcp HTTP server. 3. **Switch to stdio mode**: Set `MCP_MODE=stdio` to eliminate the HTTP transport entirely — stdio does not expose any HTTP endpoints and is unaffected. 4. **Detection**: Review HTTP access logs for unauthenticated requests to `/health`, `/session`, or `/mcp` endpoints originating from unexpected source IPs. 5. **Audit exposure**: Identify all instances running n8n-mcp <= 2.47.5 in your environment, prioritizing any exposed beyond the internal network perimeter.

Q: What systems are affected by GHSA-75hx-xj24-mqrw?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM tool orchestration, workflow automation with AI integration, MCP-based AI tool servers.

Q: What is the CVSS score for GHSA-75hx-xj24-mqrw?

GHSA-75hx-xj24-mqrw has a CVSS v3.1 base score of 8.2 (HIGH).

CISO Take

The n8n-mcp HTTP transport exposed MCP session management endpoints without any authentication and leaked operational metadata via an unprotected health check, allowing any network-reachable attacker to terminate active MCP sessions and enumerate system state. For organizations running AI agent workflows through n8n — where MCP is the integration layer between LLMs and external tools — session disruption halts AI pipelines mid-execution, which can mean broken automations, failed compliance workflows, or interrupted agentic tasks. With a CVSS of 8.2, no privileges required, and trivial network-based exploitation, the risk of opportunistic attack on exposed instances is non-trivial; no public exploit exists yet and it is not in CISA KEV, but 58 prior CVEs in this package signal a pattern of recurring security debt worth monitoring. Patch to v2.47.6 immediately, or restrict HTTP access via firewall/reverse proxy allowlist, or switch to stdio mode (`MCP_MODE=stdio`) which eliminates the HTTP attack surface entirely.

Sources: GitHub Advisory ATLAS OpenSSF

Risk Assessment

HIGH risk for organizations with externally or internally exposed n8n-mcp HTTP servers. CVSS 8.2 with AV:N/AC:L/PR:N/UI:N means zero-friction exploitation for any attacker with network access — no credentials, no special knowledge, no user interaction required. Availability impact is HIGH (full session disruption), confidentiality is LOW (metadata only). The OpenSSF scorecard of 5.9/10 and 58 prior CVEs in the same package indicate systemic security hygiene issues. No active exploitation observed, but the trivial nature of the attack lowers the bar significantly for exploitation once attackers enumerate exposed deployments.

Attack Kill Chain

Discovery

Attacker scans for internet- or network-exposed n8n-mcp HTTP servers using port scanners or OSINT tools like Shodan, identifying targets running versions <= 2.47.5.

AML.T0006

Reconnaissance

Attacker queries the unauthenticated health check endpoint to extract operational metadata — active session counts, server state, and version information — without triggering authentication alerts.

AML.T0049

Session Disruption

Attacker sends unauthenticated requests to MCP session management endpoints to forcibly terminate active sessions, aborting in-flight LLM tool calls and AI agent workflows.

AML.T0029

Impact

AI agent pipelines dependent on n8n-mcp are disrupted mid-execution, causing failed automations, broken compliance workflows, and operational downtime for AI-driven business processes.

AML.T0048

Discovery

Attacker scans for internet- or network-exposed n8n-mcp HTTP servers using port scanners or OSINT tools like Shodan, identifying targets running versions <= 2.47.5.

AML.T0006

Reconnaissance

Attacker queries the unauthenticated health check endpoint to extract operational metadata — active session counts, server state, and version information — without triggering authentication alerts.

AML.T0049

Session Disruption

Attacker sends unauthenticated requests to MCP session management endpoints to forcibly terminate active sessions, aborting in-flight LLM tool calls and AI agent workflows.

AML.T0029

Impact

AI agent pipelines dependent on n8n-mcp are disrupted mid-execution, causing failed automations, broken compliance workflows, and operational downtime for AI-driven business processes.

AML.T0048

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
n8n-mcp	npm	<= 2.47.5	`2.47.6`
182.5K OpenSSF 5.9 Pushed 6d ago 25% patched ~2d to patch Full package profile →

Do you use n8n-mcp? You're affected.

Severity & Risk

CVSS 3.1

8.2 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C Low

I None

A High

Recommended Action

**Patch immediately**: Upgrade n8n-mcp to v2.47.6 — all MCP session endpoints now require Bearer token authentication and the health check returns minimal liveness data only. 2. **Network restriction (if patching is delayed)**: Apply firewall rules or reverse proxy IP allowlists so only trusted clients reach the n8n-mcp HTTP server. 3. **Switch to stdio mode**: Set `MCP_MODE=stdio` to eliminate the HTTP transport entirely — stdio does not expose any HTTP endpoints and is unaffected. 4. **Detection**: Review HTTP access logs for unauthenticated requests to `/health`, `/session`, or `/mcp` endpoints originating from unexpected source IPs. 5. **Audit exposure**: Identify all instances running n8n-mcp <= 2.47.5 in your environment, prioritizing any exposed beyond the internal network perimeter.

Classification

Auth Bypass DoS Data Leakage Agent Plugin AML.T0006 - Active Scanning AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0084 - Discover AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - Access control for AI systems

NIST AI RMF

MANAGE 2.4 - Residual risks from AI system operation are monitored and managed

OWASP LLM Top 10

LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is GHSA-75hx-xj24-mqrw?

The n8n-mcp HTTP transport exposed MCP session management endpoints without any authentication and leaked operational metadata via an unprotected health check, allowing any network-reachable attacker to terminate active MCP sessions and enumerate system state. For organizations running AI agent workflows through n8n — where MCP is the integration layer between LLMs and external tools — session disruption halts AI pipelines mid-execution, which can mean broken automations, failed compliance workflows, or interrupted agentic tasks. With a CVSS of 8.2, no privileges required, and trivial network-based exploitation, the risk of opportunistic attack on exposed instances is non-trivial; no public exploit exists yet and it is not in CISA KEV, but 58 prior CVEs in this package signal a pattern of recurring security debt worth monitoring. Patch to v2.47.6 immediately, or restrict HTTP access via firewall/reverse proxy allowlist, or switch to stdio mode (`MCP_MODE=stdio`) which eliminates the HTTP attack surface entirely.

Is GHSA-75hx-xj24-mqrw actively exploited?

No confirmed active exploitation of GHSA-75hx-xj24-mqrw has been reported, but organizations should still patch proactively.

How to fix GHSA-75hx-xj24-mqrw?

1. **Patch immediately**: Upgrade n8n-mcp to v2.47.6 — all MCP session endpoints now require Bearer token authentication and the health check returns minimal liveness data only. 2. **Network restriction (if patching is delayed)**: Apply firewall rules or reverse proxy IP allowlists so only trusted clients reach the n8n-mcp HTTP server. 3. **Switch to stdio mode**: Set `MCP_MODE=stdio` to eliminate the HTTP transport entirely — stdio does not expose any HTTP endpoints and is unaffected. 4. **Detection**: Review HTTP access logs for unauthenticated requests to `/health`, `/session`, or `/mcp` endpoints originating from unexpected source IPs. 5. **Audit exposure**: Identify all instances running n8n-mcp <= 2.47.5 in your environment, prioritizing any exposed beyond the internal network perimeter.

What systems are affected by GHSA-75hx-xj24-mqrw?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM tool orchestration, workflow automation with AI integration, MCP-based AI tool servers.

What is the CVSS score for GHSA-75hx-xj24-mqrw?

GHSA-75hx-xj24-mqrw has a CVSS v3.1 base score of 8.2 (HIGH).

Technical Details

NVD Description

### Summary Several HTTP transport endpoints in n8n-mcp lacked proper authentication, and the health check endpoint exposed sensitive operational metadata without credentials. ### Impact An unauthenticated attacker with network access to the n8n-mcp HTTP server could disrupt active MCP sessions and gather information useful for further attacks. ### Patches Fixed in **v2.47.6**. All MCP session endpoints now require Bearer authentication. The health check endpoint has been reduced to a minimal liveness response. ### Workarounds If you cannot upgrade immediately: - **Restrict network access** to the HTTP server using firewall rules, reverse proxy IP allowlists, or a VPN so that only trusted clients can reach it. - **Use stdio mode** (`MCP_MODE=stdio`) instead of HTTP mode. The stdio transport does not expose any HTTP endpoints and is unaffected by this vulnerability. Upgrading to v2.47.6 is still strongly recommended. ### Credit Reported by @yotampe-pluto.

Exploitation Scenario

An attacker performs a port scan or scrapes Shodan/Censys for exposed n8n-mcp HTTP servers (default port). They first query the unauthenticated `/health` endpoint to confirm the target is running n8n-mcp and extract operational metadata — active session counts, server version, uptime — enabling reconnaissance without triggering most auth-based alerts. Armed with session context, they send unauthenticated DELETE or POST requests to MCP session endpoints, forcibly terminating active sessions. This disrupts any LLM agent tasks mid-execution: half-completed tool calls fail, dependent automation workflows abort, and AI-driven business processes stall. In a targeted attack, the disruption is timed to coincide with a critical operation (e.g., automated compliance report generation or real-time security monitoring using AI agents).