CVE-2026-45582 czlonkowski CVE debrief

Who should care

Organizations using n8n-MCP for workflow automation with HTTP Request nodes handling sensitive customer data, multi-tenant identifiers, or signed API requests should prioritize this update to prevent unintended telemetry disclosure.

Technical summary

The workflow telemetry sanitizer in n8n-MCP versions prior to 2.51.3 failed to fully redact URL-shaped node parameters. HTTP Request node configurations containing customer identifiers, tenant IDs, short secrets embedded in query strings, or signed request parameters could be partially retained and transmitted to the anonymous telemetry backend. This represents an information disclosure vulnerability (CWE-201) where sensitive data fragments bypassed intended sanitization controls. The fix in version 2.51.3 corrects the sanitization logic to properly handle these parameter types.

Defensive priority

medium

Recommended defensive actions

• Upgrade n8n-MCP to version 2.51.3 or later
• Review workflow configurations for any HTTP Request nodes that may have contained sensitive parameters in URLs
• Audit historical telemetry data for potential exposure of customer identifiers, tenant IDs, or signed request parameters
• Verify that PRIVACY.md collection boundaries are being enforced in current deployments
• Consider rotating any short secrets or signed parameters that may have been exposed in query strings prior to the fix

Evidence notes

The CVE description and NVD record indicate the vulnerability involves incomplete sanitization of HTTP-Request-style node parameters in workflow telemetry. The fix is confirmed in release 2.51.3. No evidence of active exploitation or KEV listing was found in the supplied corpus.

Official resources