How is CVE-2026-45707 exploited?

Network reachability (required): The attacker must reach the n8n-MCP HTTP transport over the network (AV:N). Authentication (required): PR:L means any valid MCP tenant credential is sufficient to trigger the fallback. Victim interaction (not-required): UI:N: no operator or end-user action is needed; the server silently falls back when headers are missing. Attack complexity (info): AC:L: the exploit is reliable and requires no special conditions, just omitting or partially supplying the tenant headers.

What is the impact of CVE-2026-45707?

Reads workflows, credentials metadata, and execution data from the operator's n8n instance via management API calls. Modifies or creates workflows and triggers executions on the operator's instance under the operator's own n8n API key. Effectively pivots tenant access into operator-level control of the shared n8n backend, breaking multi-tenant isolation.

Back to search

HIGHCVE-2026-45707Published 2026-05-29Modified 2026-05-29CNA GitHub_M

CVE-2026-45707: n8n-MCP: Multi-tenant MCP requests fall back to process-level n8n credentials when tenant headers are absent or incomplete

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.2, when ENABLE_MULTI_TENANT=true, the HTTP transport documents that the target n8n instance is selected per-request from x-n8n-url / x-n8n-key headers. Requests that omitted those headers — or supplied only one of them — silently fell back to the process-level N8N_API_URL / N8N_API_KEY credentials configured for the operator's own n8n instance. As a result, an authenticated MCP tenant could cause n8n management calls to execute against the operator's instance instead of its own. This affects HTTP-mode deployments of n8n-mcp that are run as a shared multi-tenant service. Single-tenant deployments (ENABLE_MULTI_TENANT unset or false) are not affected. This vulnerability is fixed in 2.51.2.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Tenant isolation bypass in n8n-MCP, an MCP server that gives AI assistants access to n8n node documentation and operations. When ENABLE_MULTI_TENANT is enabled, HTTP requests that omit or only partially supply the x-n8n-url and x-n8n-key headers silently fall back to the operator's process-level N8N_API_URL and N8N_API_KEY, so an authenticated tenant can issue n8n management calls against the operator's own n8n instance over the network. Successful exploitation reads and modifies workflows, credentials, and execution data on the operator instance. A patched-image rebuild at 2.51.2 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment, with the advisory ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI pipelines. Coverage includes custom-built images that bundle czlonkowski/n8n-mcp below 2.51.2.

Available

Triage

Triage is available using the published CVSS 8.1 (High) score, weighted by each environment's compliance policy so multi-tenant or shared-service deployments rank above isolated single-tenant ones. Findings route to the n8n-mcp owner's inbox inside each customer org.

Available

Patch

A patched-image rebuild at 2.51.2 is available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, the rebuild is produced, a regression test run is executed, and a PR is opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the n8n-MCP HTTP transport over the network (AV:N).
AuthenticationRequired
PR:L means any valid MCP tenant credential is sufficient to trigger the fallback.
Victim interactionNot required
UI:N: no operator or end-user action is needed; the server silently falls back when headers are missing.
Attack complexityDetail
AC:L: the exploit is reliable and requires no special conditions, just omitting or partially supplying the tenant headers.

Blast Radius

Reads workflows, credentials metadata, and execution data from the operator's n8n instance via management API calls.
Modifies or creates workflows and triggers executions on the operator's instance under the operator's own n8n API key.
Effectively pivots tenant access into operator-level control of the shared n8n backend, breaking multi-tenant isolation.

How HarborGuard Handles This

Available on HarborGuard: a patched-image rebuild at czlonkowski/n8n-mcp 2.51.2 is published and matched against affected workloads. For environments with auto-remediation enabled, the rebuild is generated, regression-tested, and proposed via PR against the affected deployments, with a typical median time from CVE publication to merged patch PR around 90 minutes for high-severity issues. Where compliance policy blocks auto-remediation, the finding is routed to the workload owner with the 2.51.2 upgrade path attached, and compensating controls such as disabling ENABLE_MULTI_TENANT, enforcing presence of both x-n8n-url and x-n8n-key at an ingress proxy, or unsetting the process-level N8N_API_URL and N8N_API_KEY can be applied until the rebuild lands.

See how HarborGuard automates this

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

czlonkowski / n8n-mcp
< 2.51.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References