{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/n8n-mcp--2.51.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["n8n-mcp (\u003c= 2.51.1)"],"_cs_severities":["high"],"_cs_tags":["credential-access","privilege-escalation","cve-2026-45707"],"_cs_type":"advisory","_cs_vendors":["n8n"],"content_html":"\u003cp\u003eThe n8n-mcp is vulnerable to a credential fallback issue when running in multi-tenant mode (ENABLE_MULTI_TENANT=true). Specifically, when HTTP requests to the n8n-mcp instance lack the required \u003ccode\u003ex-n8n-url\u003c/code\u003e and/or \u003ccode\u003ex-n8n-key\u003c/code\u003e headers, the application unexpectedly defaults to using the operator\u0026rsquo;s own n8n instance credentials (N8N_API_URL / N8N_API_KEY). This design flaw allows an authenticated tenant on the MCP platform to inadvertently, or maliciously, execute n8n management calls against the operator\u0026rsquo;s environment instead of their own isolated instance. This vulnerability affects HTTP-mode deployments of \u003ccode\u003en8n-mcp\u003c/code\u003e versions 2.51.1 and earlier that are configured as a shared multi-tenant service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to an n8n-mcp tenant account within a multi-tenant deployment where \u003ccode\u003eENABLE_MULTI_TENANT=true\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP request intended for their own n8n instance, but intentionally omits the \u003ccode\u003ex-n8n-url\u003c/code\u003e and/or \u003ccode\u003ex-n8n-key\u003c/code\u003e headers.\u003c/li\u003e\n\u003cli\u003eThe n8n-mcp instance, upon receiving the incomplete request, fails to properly validate the tenant context due to the missing headers.\u003c/li\u003e\n\u003cli\u003eInstead of rejecting the request, the n8n-mcp instance incorrectly falls back to using the operator\u0026rsquo;s configured \u003ccode\u003eN8N_API_URL\u003c/code\u003e and \u003ccode\u003eN8N_API_KEY\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s request is then processed, leveraging the operator\u0026rsquo;s credentials to interact with the operator\u0026rsquo;s n8n instance.\u003c/li\u003e\n\u003cli\u003eDepending on the permissions associated with the operator\u0026rsquo;s API key, the attacker could potentially read or modify workflows, credentials, executions, and data tables within the operator\u0026rsquo;s n8n environment.\u003c/li\u003e\n\u003cli\u003eIf the operator\u0026rsquo;s n8n instance has Code nodes enabled and sufficient permissions, the attacker could potentially escalate to remote code execution within the operator\u0026rsquo;s n8n runtime environment by manipulating workflows.\u003c/li\u003e\n\u003cli\u003eThe final objective is unauthorized access to the operator\u0026rsquo;s n8n instance, potentially leading to data breaches, service disruption, or further lateral movement within the operator\u0026rsquo;s infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-45707) allows a malicious tenant to read and write workflows, executions, data-table contents, and credential metadata on the operator\u0026rsquo;s n8n instance. If the operator\u0026rsquo;s n8n permits Code-node execution that reaches OS-level modules, the path could escalate to remote code execution inside the operator\u0026rsquo;s n8n runtime. This could result in a complete compromise of the operator\u0026rsquo;s n8n instance and its associated data, with potential impact on the operator\u0026rsquo;s business operations and sensitive information.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to n8n-mcp version 2.51.2 or later to remediate CVE-2026-45707.\u003c/li\u003e\n\u003cli\u003eIf immediate patching is not possible, set \u003ccode\u003eENABLE_MULTI_TENANT=false\u003c/code\u003e to disable multi-tenant mode, effectively isolating each tenant\u0026rsquo;s n8n instance.\u003c/li\u003e\n\u003cli\u003eImplement a proxy or web application firewall (WAF) rule to reject requests missing both the \u003ccode\u003ex-n8n-url\u003c/code\u003e and \u003ccode\u003ex-n8n-key\u003c/code\u003e headers to mitigate the primary attack vector.\u003c/li\u003e\n\u003cli\u003eReview and restrict the scopes of the operator\u0026rsquo;s \u003ccode\u003eN8N_API_KEY\u003c/code\u003e to the minimum required permissions to limit the blast radius in case of a successful fallback.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T17:42:22Z","date_published":"2026-05-18T17:42:22Z","id":"https://feed.craftedsignal.io/briefs/2026-05-n8n-mcp-tenant-fallback/","summary":"When ENABLE_MULTI_TENANT=true, n8n-mcp requests that omit x-n8n-url or x-n8n-key headers silently fall back to the process-level N8N_API_URL / N8N_API_KEY credentials configured for the operator's own n8n instance; an authenticated MCP tenant could cause n8n management calls to execute against the operator's instance instead of its own, leading to potential data access and code execution on the operator's n8n instance.","title":"n8n-mcp Multi-Tenant Credential Fallback Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-n8n-mcp-tenant-fallback/"}],"language":"en","title":"CraftedSignal Threat Feed — N8n-Mcp (\u003c= 2.51.1)","version":"https://jsonfeed.org/version/1.1"}