CVE-2026-45582
EUVD-2026-3331929.05.2026, 14:16
n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.3, the workflow telemetry sanitizer could retain partial fragments of URL-shaped node parameters before sending workflow data to the project's anonymous telemetry backend. Values placed in HTTP-Request-style node parameters — such as customer or tenant identifiers, short secrets embedded in query strings, and signed request parameters — could therefore appear in stored telemetry, contrary to the collection boundary documented in PRIVACY.md. This vulnerability is fixed in 2.51.3.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| n8n-mcp | n8n-mcp | 𝑥 < 2.51.3 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration