{"data":{"id":"a80507f4-7190-4dd1-9831-e4161e346efa","title":"GHSA-75hx-xj24-mqrw: n8n-mcp has unauthenticated session termination and information disclosure in HTTP transport","summary":"n8n-mcp (a tool for connecting AI systems to external services) had security problems where certain HTTP endpoints (the connection points a program offers over the internet) didn't require authentication and exposed sensitive system information. An attacker with network access could shut down active sessions and gather details to plan further attacks.","solution":"Fixed in v2.47.6, where all MCP session endpoints now require Bearer authentication (a token-based security method). If you cannot upgrade immediately, you can restrict network access using firewall rules, reverse proxy IP allowlists, or a VPN to allow only trusted clients. Alternatively, use stdio mode (MCP_MODE=stdio) instead of HTTP mode, since stdio transport does not expose HTTP endpoints and is not affected by this vulnerability.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-75hx-xj24-mqrw","publishedAt":"2026-04-10T20:59:58.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["pii_leakage"],"issueType":"vulnerability","affectedPackages":["n8n-mcp@<= 2.47.5 (fixed: 2.47.6)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["n8n-mcp"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-04-10T20:59:58.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","availability"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}