GHSA-2cf7-hpwf-47h9MediumCVSS 4.2

n8n-MCP: Incorrect authorization can expose default-scope workflow version backups in multi-tenant HTTP mode

Published
July 14, 2026
Last Modified
July 14, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

In multi-tenant HTTP mode (ENABLE_MULTI_TENANT=true), an authenticated tenant could, under certain conditions, reach n8n-mcp's local default-scope workflow_versions backups instead of being confined to its own tenant scope. This affects n8n-mcp's own local workflow-version storage, not a normal n8n API capability.

Impact

An authenticated MCP HTTP tenant could read or delete workflow-version backups stored in the default (single-tenant) scope — for example backups left from a prior single-tenant deployment or a migration period. Workflow snapshots may contain sensitive workflow configuration depending on their contents. Single-tenant and stdio deployments are not affected.

Affected versions

<= 2.57.3

Patched version

2.57.4

Remediation

Upgrade to n8n-mcp 2.57.4 or later. The fix requires a complete tenant context in multi-tenant mode and fails closed for workflow-version access that cannot be attributed to a specific tenant.

Workarounds

  • Restrict network access to the HTTP endpoint (firewall / reverse proxy / VPN) so only trusted callers can reach it.
  • Run in stdio mode, which has no multi-tenant HTTP surface.
  • If default-scope backups from a prior single-tenant deployment are not needed, removing them eliminates the exposure.

Credit

Reported by @DavidCarliez.

🎯 Affected products1

  • npm/n8n-mcp:<= 2.57.3

🔗 References (4)