GHSA-jxx9-px88-pj69: n8n-MCP: Multi-tenant MCP requests fall back to process-level n8n credentials when tenant headers are absent or incomplete
Summary
In n8n-mcp (a tool that bridges AI agents to n8n workflow automation) running in multi-tenant mode, requests missing tenant identification headers would fall back to using the operator's own n8n credentials, allowing an authenticated tenant to access or modify the operator's workflows and data instead of their own. This only affects shared multi-tenant deployments, not single-tenant setups.
Solution / Mitigation
Fixed in n8n-mcp 2.51.2. The fix rejects requests without proper tenant headers at the HTTP edge with a 400 error before processing, prevents the system from using fallback operator credentials when in multi-tenant mode, and blocks secondary leaks in health checks and other handlers. Upgrade via 'npx n8n-mcp@latest' (NPM) or 'docker pull ghcr.io/czlonkowski/n8n-mcp:latest' (Docker). Workarounds if upgrading immediately is not possible: disable multi-tenant mode and run separate instances per tenant, use a proxy to reject requests missing both tenant headers, or restrict the operator API key to minimum required permissions if your n8n supports scoping (Enterprise or compatible Community Edition builds).
Vulnerability Details
EPSS: 0.0%
Yes
May 18, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-jxx9-px88-pj69
First tracked: May 18, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 92%