{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/n8n-mcp--2.56.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["n8n-mcp \u003c= 2.56.0"],"_cs_severities":["critical"],"_cs_tags":["vulnerability","cross-tenant","n8n"],"_cs_type":"advisory","_cs_vendors":["n8n"],"content_html":"\u003cp\u003eA critical cross-tenant access vulnerability, identified as CVE-2026-54052, has been discovered in n8n-mcp versions up to 2.56.0. This flaw specifically affects multi-tenant HTTP deployments of n8n-mcp, a popular workflow automation tool, where a single server manages multiple tenant instances. The vulnerability stems from inadequate isolation of locally stored workflow version history, allowing an authenticated tenant to read, delete, or destroy workflow version backups belonging to other tenants. These backups contain sensitive data, including credential references and authorization headers from node definitions, thereby posing significant confidentiality, integrity, and availability risks to affected organizations. While no specific threat actors have been attributed to exploiting this vulnerability in the wild, the potential for unauthorized access to sensitive tenant data makes it a high-priority concern for defenders.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: An attacker obtains valid authentication credentials for a legitimate tenant account within an affected n8n-mcp multi-tenant HTTP deployment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication\u003c/strong\u003e: The attacker successfully authenticates to the n8n-mcp instance using the compromised tenant credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery\u003c/strong\u003e: While authenticated, the attacker accesses the workflow version history feature, typically available via the user interface or API endpoints.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation\u003c/strong\u003e: Due to the vulnerability (CVE-2026-54052) stemming from insufficient isolation of locally stored backups, the attacker's request for workflow versions unintentionally exposes or grants access to version backups associated with other tenants.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCollection\u003c/strong\u003e: The attacker reads sensitive information, such as credential references and authorization headers, directly from the exposed workflow version snapshots of other tenants.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact/Manipulation\u003c/strong\u003e: The attacker may then delete or destroy the workflow version backups of other tenants, impacting data integrity and availability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration\u003c/strong\u003e: The attacker exfiltrates the collected sensitive data, such as authentication credentials, from the compromised workflow backups for further malicious use.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIn multi-tenant HTTP deployments where a single n8n-mcp server serves several tenants, the locally stored workflow version history (automatic backups taken before workflow updates) was not isolated per tenant. An authenticated tenant could read workflow version snapshots belonging to other tenants, and could delete or destroy other tenants' stored backups. A stored snapshot includes full node definitions, so the exposed data can contain credential references and authorization headers configured on nodes. This is therefore a confidentiality issue in addition to an integrity/availability one. There is no information available regarding the number of victims or specific sectors targeted, but any organization using affected configurations of n8n-mcp is at risk of sensitive data exposure and denial of service.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade n8n-mcp instances to version \u003ccode\u003e2.56.1\u003c/code\u003e immediately to patch CVE-2026-54052, which isolates stored version history per instance.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrade to \u003ccode\u003en8n-mcp\u003c/code\u003e version \u003ccode\u003e2.56.1\u003c/code\u003e is not possible, disable the workflow version tool by setting \u003ccode\u003eDISABLED_TOOLS=n8n_workflow_versions\u003c/code\u003e in the server environment (e.g., Docker \u003ccode\u003e.env\u003c/code\u003e) to close the cross-tenant access path.\u003c/li\u003e\n\u003cli\u003eAlternatively, avoid running \u003ccode\u003en8n-mcp\u003c/code\u003e in multi-tenant mode by serving each tenant from a separate instance with its own database, ensuring no local store is shared between tenants.\u003c/li\u003e\n\u003cli\u003eRestrict network access to the \u003ccode\u003en8n-mcp\u003c/code\u003e HTTP endpoint to trusted operators only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-14T19:15:24Z","date_published":"2026-07-14T19:15:24Z","id":"https://feed.craftedsignal.io/briefs/2026-07-n8n-mcp-cross-tenant-access/","summary":"A critical cross-tenant access vulnerability exists in n8n-mcp versions up to 2.56.0, specifically in multi-tenant HTTP deployments. An authenticated tenant can read, delete, or destroy workflow version backups belonging to other tenants due to insufficient isolation of locally stored version history. This exposure includes sensitive data such as credential references and authorization headers embedded in node definitions, posing both a confidentiality and integrity/availability risk.","title":"n8n-mcp Cross-Tenant Workflow Version Access Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-n8n-mcp-cross-tenant-access/"}],"language":"en","title":"CraftedSignal Threat Feed - N8n-Mcp \u003c= 2.56.0","version":"https://jsonfeed.org/version/1.1"}