n8n-MCP Logs Sensitive Request Data on Unauthorized /mcp Requests — CVE-2026-41495
GitHub · GitHub · CVE-2026-41495
ID
CVE-2026-41495
CVE-2026-41495
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
medium
medium
CVSS
5.3
5.3
EPSS
0.00046
0.00046
Summary
### Impact When `n8n-mcp` runs in HTTP transport mode, incoming requests to the `POST /mcp` endpoint had their request metadata written to server logs regardless of the authentication outcome. In deployments where logs are collected, forwarded to external systems, or viewable outside the request trust boundary (shared log storage, SIEM pipelines, support/ops access), this can result in disclosure of: - bearer…
Product
npm: n8n-mcp
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.