Apr 11, 2026·6 min read·17 visits
Unauthenticated access and information leaks in n8n-mcp allow attackers to extract session IDs and perform denial-of-service via unauthorized session termination. Patched in v2.47.6.
The n8n-mcp package prior to version 2.47.6 suffers from missing authentication checks and information disclosure vulnerabilities. Unauthenticated attackers can exploit exposed health endpoints to extract active session identifiers, and subsequently terminate or interact with Model Context Protocol (MCP) sessions.
The n8n-mcp package functions as a Model Context Protocol (MCP) server, facilitating interaction between AI assistants and the n8n automation platform. This server utilizes HTTP transport to manage sessions, negotiate protocols, and stream messages between the client and the underlying n8n instance. Proper access control across all HTTP endpoints is critical to maintain session integrity and prevent unauthorized interaction.
Security researchers identified multiple severe flaws in the HTTP transport implementation of n8n-mcp prior to version 2.47.6. Several endpoints responsible for session discovery, termination, and health checking omitted fundamental authentication requirements. These flaws map directly to CWE-306 (Missing Authentication for Critical Function) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).
The vulnerability surface encompasses four distinct endpoints: GET /health, GET /mcp, DELETE /mcp, and POST /mcp/test. An unauthenticated network attacker can leverage these exposed interfaces to map active transport connections and disrupt established AI assistant sessions. The combination of an information leak and an unauthenticated state-modification endpoint creates a reliable attack chain for targeted denial-of-service.
The core issue stems from an inconsistent application of the authenticateRequest middleware and the authLimiter rate-limiting component across the application's routing logic. The developers explicitly protected message transmission routes, such as POST /mcp and POST /messages, but failed to apply these same security controls to session management routes. The discovery (GET /mcp) and termination (DELETE /mcp) endpoints relied on implicit application state rather than explicit authorization validation.
Concurrently, the /health endpoint suffered from an insecure design choice. Intended primarily as a Docker health check or liveness probe, the implementation inadvertently functioned as a comprehensive diagnostic interface. It aggregated and returned sensitive internal state data, including memory utilization, security configuration flags, and most critically, an array of all active transport session identifiers.
Because the /health endpoint bypassed authentication by design to accommodate container orchestration probes, it exposed this diagnostic payload to any network-adjacent actor. The application bound session identifiers securely under normal circumstances, but the verbose health response negated these protections by broadcasting the session keys directly. This specific failure mode highlights the danger of conflating liveness probes with diagnostic telemetry.
The patch implemented in commit ca9d4b3df6419b8338983be98f7940400f78bde3 resolves both the missing authentication and the information disclosure flaws. The primary architectural change involves enforcing the authenticateRequest verification pattern and the authLimiter middleware on previously exposed routes. The developers completely removed the unauthenticated POST /mcp/test mock endpoint, eliminating it from the attack surface.
The most substantial modification occurs within the src/http-server-single-session.ts file. The vulnerable implementation of the /health endpoint previously returned a highly verbose JSON object containing a sessions object with an array of activeTransports. The patched version strips this payload down to a minimal liveness envelope containing only a status string, application version, uptime integer, and timestamp string.
// VULNERABLE CODE
app.get('/health', (req, res) => {
const activeTransports = Object.keys(this.transports);
res.json({
status: 'ok',
sessions: {
active: sessionMetrics.activeSessions,
sessionIds: activeTransports
},
security: {
defaultToken: isDefaultToken,
},
// ...
});
});Furthermore, the session management routes now require explicit authentication prior to processing requests. The patch prepends the authLimiter to the route definition and evaluates the authenticateRequest function before executing route logic.
// PATCHED CODE
app.get('/mcp', authLimiter, async (req, res) => {
if (!this.authenticateRequest(req, res)) return;
// Normal route logic proceeds here
});An attacker exploits this vulnerability chain in two distinct phases: reconnaissance and execution. First, the attacker issues a standard HTTP GET request to the target server's /health endpoint. The target server responds with a JSON payload containing the sessions.sessionIds array, which lists the exact identifiers for all actively connected MCP clients.
GET /health HTTP/1.1
Host: target-ip:3000Once the attacker possesses a valid session ID, they proceed to the execution phase. The attacker crafts an HTTP DELETE request directed at the /mcp endpoint. Crucially, the attacker includes the newly acquired session ID within the Mcp-Session-Id HTTP header. Because the target server processes this request without evaluating the AUTH_TOKEN, the attack succeeds regardless of the application's credential configuration.
DELETE /mcp HTTP/1.1
Host: target-ip:3000
Mcp-Session-Id: <leaked-id>Upon receiving the unauthenticated termination request, the target server abruptly closes the transport connection and tears down the associated MCP server instance. The legitimate user loses connectivity immediately, resulting in a targeted denial-of-service condition. This attack requires only standard network routing and zero specialized exploit tooling.
The primary consequence of this vulnerability is an unauthenticated, targeted denial-of-service. Attackers can monitor the /health endpoint continuously to identify new sessions as they initialize. By scripting the extraction and termination phases, an adversary can prevent any legitimate AI assistant from maintaining a stable connection with the n8n-mcp server, completely disrupting automated workflows.
Beyond the denial-of-service capability, the information disclosure flaw presents a secondary risk vector. The vulnerable /health endpoint exposes a security.defaultToken boolean flag. This metric explicitly informs the attacker whether the server administrator failed to rotate the default, hardcoded authentication token (REPLACE_THIS_AUTH_TOKEN_...).
If an attacker identifies that the default token remains active, they bypass the need for session ID hijacking entirely. They can authenticate natively utilizing the known default credential, granting them full administrative control over the MCP interfaces. This elevates the impact from denial-of-service to unauthorized protocol interaction and potential workflow manipulation.
The authoritative remediation for this vulnerability requires upgrading the n8n-mcp package to version 2.47.6 or later. Organizations managing automated workflows via NPM deployments must execute package updates to ensure the patched middleware logic applies to their environment. Deployments utilizing Docker containers should pull the latest version tag and rebuild their deployment artifacts to inherit the secured health endpoint.
For environments where immediate patching is unfeasible, administrators must implement network-level access controls. Configuring firewall rules or reverse proxy restrictions to limit access to the n8n-mcp HTTP port mitigates the risk of external exploitation. Specifically, external actors must not reach the /health or /mcp routes under any circumstances.
Administrators must also review their application configuration to confirm the AUTH_TOKEN environment variable contains a strong, unique cryptographic value. Validating that the security.defaultToken flag evaluates to false ensures the system remains resilient against trivial credential stuffing attacks, regardless of the software version in use.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H| Product | Affected Versions | Fixed Version |
|---|---|---|
n8n-mcp n8n | < 2.47.6 | 2.47.6 |
| Attribute | Detail |
|---|---|
| Primary CWE | CWE-306: Missing Authentication for Critical Function |
| Secondary CWE | CWE-200: Exposure of Sensitive Information |
| Attack Vector | Network |
| CVSS Score | 7.5 (High) |
| Exploit Status | Proof of Concept Available |
| Impact | Targeted Denial of Service, Information Disclosure |
Missing Authentication for Critical Function and Exposure of Sensitive Information to an Unauthorized Actor
An authentication bypass and token leakage vulnerability exists in TSDProxy before version 1.4.4. The application unconditionally forwards its internal administrative token to all proxied backend services when identity headers are enabled. Attackers with control over an upstream backend can capture this token and replay it to the local management API to achieve full administrative control over the proxy engine.
A high-severity Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan prior to version 3.7.0. The vulnerability is located within the server-side Markdown-to-HTML parsing component for the Bazaar marketplace packages. Due to an incomplete event-handler attribute blocklist in the lute parsing engine and a lack of client-side DOM sanitization, malicious package authors can bypass restrictions using modern HTML5 event handlers. When an authenticated administrator views a malicious package, the embedded JavaScript runs in the administrator origin, allowing unauthorized workspace access, local file reading, and remote API execution.
A DNS-rebinding Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the mcp-atlassian server before version 0.17.0. The server processes unauthenticated client-supplied URLs via custom headers, validating the destination IP but failing to pin the resolved address before connecting. This allows remote adjacent-network attackers to achieve Server-Side Request Forgery (SSRF) and access restricted resources or cloud metadata services.
A high-severity denial-of-service vulnerability in @libp2p/gossipsub prior to version 16.0.0 allows unauthenticated remote attackers to trigger event loop starvation and complete node freeze by exploiting unbounded protobuf decoding limits and nested synchronous array iteration loops.
CVE-2026-49858 is a vulnerability in API Platform Core's JSON:API and HAL item normalizers where conditionally secured attributes are cached globally in memory. When deployed in long-running PHP execution environments such as FrankenPHP worker mode, Swoole, or RoadRunner, this persistent caching bypasses property-level security constraints, allowing unprivileged users to access sensitive, unauthorized fields cached during privileged requests.
CVE-2026-5078 is a log injection vulnerability in Morgan, the widely deployed Node.js HTTP request logging middleware. The vulnerability arises because the ':remote-user' logging token decodes and outputs basic authentication usernames containing control characters, such as Carriage Return (CR) and Line Feed (LF), without sanitization. An unauthenticated attacker can bypass native HTTP header parsers by Base64-encoding CRLF sequences in the Authorization header. When Morgan logs the request, these control characters force newlines in the log stream, enabling log forging, SIEM evasion, and system activity spoofing.