CVE-2026-45582
Telemetry Data Leak in n8n-MCP Server
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| czlonkowski | n8n-mcp | 2.51.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-45582 is a security vulnerability in the n8n-mcp software where sensitive information embedded in URL-shaped node parameters was not properly redacted before being sent to the anonymous telemetry backend.
Specifically, values such as customer or tenant identifiers, short secrets in query strings, and signed request parameters could appear partially in stored telemetry data, violating the intended privacy boundaries.
The issue was due to the workflow telemetry sanitizer only redacting the hostname part of URLs, leaving path and query string fragments exposed.
This vulnerability was fixed in version 2.51.3 by fully redacting URL-like fields to a placeholder [REDACTED_URL], ensuring no sensitive fragments remain in telemetry data.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized exposure of sensitive information such as customer IDs, tenant identifiers, short secrets, and signed request parameters through telemetry data.
If an attacker gains access to the telemetry storage, they could retrieve these sensitive fragments, potentially compromising user privacy and security.
Although credentials and OAuth tokens are separately sanitized and not affected, the leakage of partial URL parameters still poses a moderate risk.
Users are advised to upgrade to version 2.51.3 where the issue is fixed, or temporarily disable telemetry collection to mitigate the risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability results in the unintended retention and transmission of sensitive information in telemetry data, which can violate privacy and data protection principles outlined in regulations such as GDPR and HIPAA.
Exposing customer or tenant identifiers and secrets in telemetry could be considered a breach of data minimization and confidentiality requirements.
Therefore, organizations using affected versions of n8n-mcp may face compliance risks if this vulnerability is not addressed.
Upgrading to version 2.51.3, which fully redacts sensitive URL parameters in telemetry, helps restore compliance with these standards.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves sensitive information leakage in workflow telemetry data, specifically URL-shaped node parameters that may contain customer IDs, tenant identifiers, signed-request parameters, or short tokens. Detection involves inspecting telemetry data storage, such as Supabase tables, for partial URL fragments or sensitive parameters that should have been redacted.
Since the vulnerability relates to telemetry data retention rather than network traffic, direct network commands may not detect it. Instead, you should audit stored telemetry data for unredacted URL fragments.
As a practical step, you can query your telemetry database (e.g., Supabase) for entries containing URL patterns or sensitive parameters. For example, using SQL commands to search for URL-like strings or known sensitive keys in telemetry tables.
- Example SQL query to detect unredacted URLs in telemetry data: SELECT * FROM telemetry_table WHERE data LIKE '%http://%' OR data LIKE '%https://%';
- Search for known sensitive parameters in telemetry data: SELECT * FROM telemetry_table WHERE data LIKE '%customer_id=%' OR data LIKE '%tenant_id=%' OR data LIKE '%signed_request=%';
Additionally, review your telemetry configuration and logs to verify if telemetry data is being sent without proper sanitization.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade n8n-mcp to version 2.51.3 or later, where the vulnerability is fixed by fully redacting URL-like fields in telemetry data.
If immediate upgrade is not possible, disable anonymous telemetry collection to prevent sensitive data from being sent and stored.
- Set environment variables to disable telemetry: N8N_MCP_TELEMETRY_DISABLED=true, TELEMETRY_DISABLED=true, or DISABLE_TELEMETRY=true.
Consider auditing existing telemetry data storage (e.g., Supabase) for sensitive information and perform a one-time scrubbing if necessary.
Review and harden telemetry collection policies and consider opt-in telemetry defaults to reduce exposure.