PatchSiren cyber security CVE debrief
CVE-2026-45707 czlonkowski CVE debrief
A multi-tenant authentication bypass in n8n-MCP allows authenticated tenants to redirect management calls to the operator's n8n instance. The vulnerability exists in HTTP-mode deployments when ENABLE_MULTI_TENANT=true. Prior to version 2.51.2, requests missing either the x-n8n-url or x-n8n-key headers (or containing only one) silently fell back to process-level credentials (N8N_API_URL / N8N_API_KEY) configured for the operator's own instance. This permits cross-tenant instance access with potential for unauthorized data exposure and administrative operations. Single-tenant deployments are unaffected. The issue was disclosed on 2026-05-29 and fixed in release 2.51.2.
- Vendor
- czlonkowski
- Product
- n8n-mcp
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations operating n8n-MCP as a shared multi-tenant HTTP service; security teams managing AI assistant infrastructure; DevOps engineers configuring n8n integrations with tenant isolation requirements
Technical summary
The n8n-MCP server provides AI assistants with access to n8n node documentation and operations. When deployed in multi-tenant mode (ENABLE_MULTI_TENANT=true) using HTTP transport, the server expects per-request tenant identification via x-n8n-url and x-n8n-key headers. A logic error in versions prior to 2.51.2 causes the server to fall back to operator-configured environment variables (N8N_API_URL, N8N_API_KEY) when either header is missing. This fallback occurs silently without validation, allowing any authenticated tenant to manipulate the operator's n8n instance. The vulnerability requires network access and valid tenant credentials but enables high-impact confidentiality and integrity violations against the host operator's infrastructure.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade n8n-MCP to version 2.51.2 or later
- Verify ENABLE_MULTI_TENANT is not enabled unless multi-tenancy is explicitly required
- If multi-tenancy is required, ensure all HTTP requests include both x-n8n-url and x-n8n-key headers
- Review access logs for requests with missing or partial tenant headers that may indicate exploitation attempts
- Audit n8n instance configurations to confirm no unauthorized cross-tenant access occurred
- Consider implementing additional request validation at the reverse proxy or load balancer layer to enforce header presence
Evidence notes
CVE description confirms the fallback behavior to process-level credentials when headers are omitted or incomplete. CVSS 8.1 (HIGH) reflects network attack vector with low complexity, low privileges required, and high impact to confidentiality and integrity. CWE-284 (Improper Access Control) assigned by GitHub Security Advisories. Fix commit 853015d0897be7cf2d9d4726de195c938e4395ab and release v2.51.2 confirm remediation.
Official resources
2026-05-29