CVE-2026-41495: n8n-MCP Logs Sensitive Request Data on Unauthorized /mcp Requests

April 23, 2026

When n8n-mcp runs in HTTP transport mode, incoming requests to the POST /mcp endpoint had their request metadata written to server logs regardless of the authentication outcome. In deployments where logs are collected, forwarded to external systems, or viewable outside the request trust boundary (shared log storage, SIEM pipelines, support/ops access), this can result in disclosure of:

bearer tokens from the Authorization header
per-tenant API keys from the x-n8n-key header in multi-tenant setups
JSON-RPC request payloads sent to the MCP endpoint

Access control itself was not bypassed — unauthenticated requests were correctly rejected with 401 Unauthorized — but sensitive values from those rejected requests could still be persisted in logs.

Impact category: CWE-532 (Insertion of Sensitive Information into Log File).

References

Code Behaviors & Features

Detect and mitigate CVE-2026-41495 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →