{"data":{"id":"0a2bc6cd-15ad-4368-9ed1-f016091d5642","title":"GHSA-8g7g-hmwm-6rv2: n8n-mcp affected by path traversal, redirect-following SSRF, and telemetry payload exposure","summary":"n8n-mcp versions before 2.50.1 had three security issues: unvalidated workflow IDs allowed attackers to bypass access controls and leak API keys, webhook URLs followed redirects to unintended hosts (SSRF, a type of attack where a server makes unwanted requests to other systems), and telemetry (usage data sent to developers) stored sensitive information like API keys without hiding it. The vulnerability has a CVSS score (a 0-10 rating of how severe a vulnerability is) of 8.3 and requires an authenticated attacker with access to the n8n API.","solution":"Upgrade to n8n-mcp version 2.50.1 or later. If upgrading is not immediately possible, the source provides these workarounds: for issues 1 and 2, restrict network access to the HTTP port through firewall rules or switch to stdio mode (a communication method that does not expose HTTP); for issue 3, set the environment variable `N8N_MCP_TELEMETRY_DISABLED=true` before starting the server, or run `npx n8n-mcp telemetry disable` once.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-8g7g-hmwm-6rv2","publishedAt":"2026-05-08T17:00:09.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["rag_poisoning","data_extraction"],"issueType":"vulnerability","affectedPackages":["n8n-mcp@< 2.50.1 (fixed: 2.50.1)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["n8n","n8n-mcp"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-05-08T17:00:09.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}