CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-75HX-XJ24-MQRW

GHSA-75HX-XJ24-MQRW: Unauthenticated Access and Information Exposure in n8n-mcp HTTP Transport

Amit Schendel
Amit Schendel
Senior Security Researcher

Apr 11, 2026·6 min read·17 visits

Executive Summary (TL;DR)

Unauthenticated access and information leaks in n8n-mcp allow attackers to extract session IDs and perform denial-of-service via unauthorized session termination. Patched in v2.47.6.

The n8n-mcp package prior to version 2.47.6 suffers from missing authentication checks and information disclosure vulnerabilities. Unauthenticated attackers can exploit exposed health endpoints to extract active session identifiers, and subsequently terminate or interact with Model Context Protocol (MCP) sessions.

Vulnerability Overview

The n8n-mcp package functions as a Model Context Protocol (MCP) server, facilitating interaction between AI assistants and the n8n automation platform. This server utilizes HTTP transport to manage sessions, negotiate protocols, and stream messages between the client and the underlying n8n instance. Proper access control across all HTTP endpoints is critical to maintain session integrity and prevent unauthorized interaction.

Security researchers identified multiple severe flaws in the HTTP transport implementation of n8n-mcp prior to version 2.47.6. Several endpoints responsible for session discovery, termination, and health checking omitted fundamental authentication requirements. These flaws map directly to CWE-306 (Missing Authentication for Critical Function) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).

The vulnerability surface encompasses four distinct endpoints: GET /health, GET /mcp, DELETE /mcp, and POST /mcp/test. An unauthenticated network attacker can leverage these exposed interfaces to map active transport connections and disrupt established AI assistant sessions. The combination of an information leak and an unauthenticated state-modification endpoint creates a reliable attack chain for targeted denial-of-service.

Root Cause Analysis

The core issue stems from an inconsistent application of the authenticateRequest middleware and the authLimiter rate-limiting component across the application's routing logic. The developers explicitly protected message transmission routes, such as POST /mcp and POST /messages, but failed to apply these same security controls to session management routes. The discovery (GET /mcp) and termination (DELETE /mcp) endpoints relied on implicit application state rather than explicit authorization validation.

Concurrently, the /health endpoint suffered from an insecure design choice. Intended primarily as a Docker health check or liveness probe, the implementation inadvertently functioned as a comprehensive diagnostic interface. It aggregated and returned sensitive internal state data, including memory utilization, security configuration flags, and most critically, an array of all active transport session identifiers.

Because the /health endpoint bypassed authentication by design to accommodate container orchestration probes, it exposed this diagnostic payload to any network-adjacent actor. The application bound session identifiers securely under normal circumstances, but the verbose health response negated these protections by broadcasting the session keys directly. This specific failure mode highlights the danger of conflating liveness probes with diagnostic telemetry.

Code Analysis

The patch implemented in commit ca9d4b3df6419b8338983be98f7940400f78bde3 resolves both the missing authentication and the information disclosure flaws. The primary architectural change involves enforcing the authenticateRequest verification pattern and the authLimiter middleware on previously exposed routes. The developers completely removed the unauthenticated POST /mcp/test mock endpoint, eliminating it from the attack surface.

The most substantial modification occurs within the src/http-server-single-session.ts file. The vulnerable implementation of the /health endpoint previously returned a highly verbose JSON object containing a sessions object with an array of activeTransports. The patched version strips this payload down to a minimal liveness envelope containing only a status string, application version, uptime integer, and timestamp string.

// VULNERABLE CODE
app.get('/health', (req, res) => {
  const activeTransports = Object.keys(this.transports);
  res.json({ 
    status: 'ok', 
    sessions: {
      active: sessionMetrics.activeSessions,
      sessionIds: activeTransports
    },
    security: {
      defaultToken: isDefaultToken,
    },
    // ...
  });
});

Furthermore, the session management routes now require explicit authentication prior to processing requests. The patch prepends the authLimiter to the route definition and evaluates the authenticateRequest function before executing route logic.

// PATCHED CODE
app.get('/mcp', authLimiter, async (req, res) => {
  if (!this.authenticateRequest(req, res)) return;
  // Normal route logic proceeds here
});

Exploitation Methodology

An attacker exploits this vulnerability chain in two distinct phases: reconnaissance and execution. First, the attacker issues a standard HTTP GET request to the target server's /health endpoint. The target server responds with a JSON payload containing the sessions.sessionIds array, which lists the exact identifiers for all actively connected MCP clients.

GET /health HTTP/1.1
Host: target-ip:3000

Once the attacker possesses a valid session ID, they proceed to the execution phase. The attacker crafts an HTTP DELETE request directed at the /mcp endpoint. Crucially, the attacker includes the newly acquired session ID within the Mcp-Session-Id HTTP header. Because the target server processes this request without evaluating the AUTH_TOKEN, the attack succeeds regardless of the application's credential configuration.

DELETE /mcp HTTP/1.1
Host: target-ip:3000
Mcp-Session-Id: <leaked-id>

Upon receiving the unauthenticated termination request, the target server abruptly closes the transport connection and tears down the associated MCP server instance. The legitimate user loses connectivity immediately, resulting in a targeted denial-of-service condition. This attack requires only standard network routing and zero specialized exploit tooling.

Impact Assessment

The primary consequence of this vulnerability is an unauthenticated, targeted denial-of-service. Attackers can monitor the /health endpoint continuously to identify new sessions as they initialize. By scripting the extraction and termination phases, an adversary can prevent any legitimate AI assistant from maintaining a stable connection with the n8n-mcp server, completely disrupting automated workflows.

Beyond the denial-of-service capability, the information disclosure flaw presents a secondary risk vector. The vulnerable /health endpoint exposes a security.defaultToken boolean flag. This metric explicitly informs the attacker whether the server administrator failed to rotate the default, hardcoded authentication token (REPLACE_THIS_AUTH_TOKEN_...).

If an attacker identifies that the default token remains active, they bypass the need for session ID hijacking entirely. They can authenticate natively utilizing the known default credential, granting them full administrative control over the MCP interfaces. This elevates the impact from denial-of-service to unauthorized protocol interaction and potential workflow manipulation.

Remediation and Mitigation

The authoritative remediation for this vulnerability requires upgrading the n8n-mcp package to version 2.47.6 or later. Organizations managing automated workflows via NPM deployments must execute package updates to ensure the patched middleware logic applies to their environment. Deployments utilizing Docker containers should pull the latest version tag and rebuild their deployment artifacts to inherit the secured health endpoint.

For environments where immediate patching is unfeasible, administrators must implement network-level access controls. Configuring firewall rules or reverse proxy restrictions to limit access to the n8n-mcp HTTP port mitigates the risk of external exploitation. Specifically, external actors must not reach the /health or /mcp routes under any circumstances.

Administrators must also review their application configuration to confirm the AUTH_TOKEN environment variable contains a strong, unique cryptographic value. Validating that the security.defaultToken flag evaluates to false ensures the system remains resilient against trivial credential stuffing attacks, regardless of the software version in use.

Official Patches

n8nRelease v2.47.6 containing security fixes

Fix Analysis (1)

Technical Appendix

CVSS Score
7.5/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Affected Systems

n8n-mcp HTTP Transport Server

Affected Versions Detail

Product
Affected Versions
Fixed Version
n8n-mcp
n8n
< 2.47.62.47.6
AttributeDetail
Primary CWECWE-306: Missing Authentication for Critical Function
Secondary CWECWE-200: Exposure of Sensitive Information
Attack VectorNetwork
CVSS Score7.5 (High)
Exploit StatusProof of Concept Available
ImpactTargeted Denial of Service, Information Disclosure

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1498Network Denial of Service
Impact
CWE-306
Missing Authentication for Critical Function

Missing Authentication for Critical Function and Exposure of Sensitive Information to an Unauthorized Actor

Known Exploits & Detection

Nuclei Template ConceptA Nuclei template methodology for checking the /health endpoint for the leaked 'sessionIds' key.

Vulnerability Timeline

Patch authored and fix commit ca9d4b3df6419b8338983be98f7940400f78bde3 pushed.
2026-04-09
Security advisory GHSA-75HX-XJ24-MQRW published.
2026-04-09
Fixed version v2.47.6 officially released.
2026-04-10
Public disclosure of technical vulnerability details.
2026-04-11

References & Sources

  • [1]GitHub Advisory: GHSA-75HX-XJ24-MQRW
  • [2]n8n-mcp Repository
  • [3]Fix Commit: ca9d4b3df6419b8338983be98f7940400f78bde3
  • [4]Aliyun Vulnerability Database Record: AVD-2026-1867416

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•7 minutes ago•GHSA-XRMC-C5CG-RV7X
8.8

GHSA-XRMC-C5CG-RV7X: Security Bypass Vulnerability in safeinstall-cli Command Parser

A high-severity security bypass vulnerability exists in safeinstall-cli up to version 0.10.1. Due to multiple logical limitations in its shell command parsing mechanism (guard-parser), attackers can craft specific shell commands that completely evade the Agent Guard interceptor hooks. This allows arbitrary unverified installations and code executions on the developer system when executed by AI coding agents.

Alon Barad
Alon Barad
0 views•7 min read
•35 minutes ago•GHSA-WM45-QH3G-V83F
7.7

GHSA-WM45-QH3G-V83F: Arbitrary Server-Side File Read and Exfiltration via Attachment Upload in mcp-atlassian

An arbitrary server-side file read vulnerability exists in the mcp-atlassian integration server. Remote clients utilizing SSE or HTTP transports can exploit the lack of directory containment on attachment-upload tools to resolve and read arbitrary host files, exfiltrating them directly to Atlassian Jira or Confluence.

Amit Schendel
Amit Schendel
1 views•8 min read
•about 1 hour ago•GHSA-G5R6-GV6M-F5JV
7.7

GHSA-G5R6-GV6M-F5JV: Arbitrary File Read and Exfiltration in mcp-atlassian via Missing Path Validation

A directory traversal vulnerability exists in the mcp-atlassian integration server prior to version 0.22.0. The confluence_upload_attachment tool fails to restrict the paths of uploaded files, allowing authenticated users or external prompt injection payloads to retrieve and exfiltrate arbitrary files from the server's filesystem into Confluence.

Amit Schendel
Amit Schendel
3 views•7 min read
•about 2 hours ago•CVE-2026-54158
9.9

CVE-2026-54158: Stored Cross-Site Scripting to Host Remote Code Execution in SiYuan

A critical-severity Stored Cross-Site Scripting (XSS) vulnerability exists in the SiYuan personal knowledge management system. Due to missing sanitization in the attribute-view cell renderer and an insecure Electron default configuration (nodeIntegration: true), attackers can execute arbitrary commands on the victim's host operating system through synchronized workspaces.

Alon Barad
Alon Barad
6 views•5 min read
•about 2 hours ago•CVE-2026-50551
9.9

CVE-2026-50551: Stored Cross-Site Scripting to Remote Code Execution via Attribute View Asset Cell Renderer in SiYuan

A critical-severity stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan's Attribute View database asset cell renderer. This flaw allows low-privilege authenticated users to execute arbitrary JavaScript in the application frontend. In Electron-based desktop clients, this execution context can be leveraged to execute arbitrary native operating system commands, resulting in complete system compromise.

Amit Schendel
Amit Schendel
5 views•6 min read
•about 3 hours ago•GHSA-H4G2-XFMW-Q2C9
8.7

GHSA-H4G2-XFMW-Q2C9: Missing Authentication Bypass in Clauster Configuration Validator

Clauster versions up to and including v0.2.1 suffer from an authentication bypass vulnerability. This issue occurs when Clauster is configured with an authentication method but the master auth.enabled key is omitted or set to false, allowing unauthenticated network access to administrative endpoints and arbitrary code execution through managed Claude Code bridges.

Amit Schendel
Amit Schendel
4 views•5 min read