CVE-2026-45582: n8n-MCP: Workflow telemetry sanitizer could retain partial values from URL-shaped node parameters
(updated )
In affected versions of n8n-mcp, the workflow telemetry sanitizer could retain partial fragments of URL-shaped node parameters before sending workflow data to the project’s anonymous telemetry backend. Values placed in HTTP-Request-style node parameters — such as customer or tenant identifiers, short secrets embedded in query strings, and signed request parameters — could therefore appear in stored telemetry, contrary to the collection boundary documented in PRIVACY.md.
References
- github.com/advisories/GHSA-f3rg-xqjj-cj9w
- github.com/czlonkowski/n8n-mcp/commit/6cf6fef653fcd6d598f2f356aac4754931c7329f
- github.com/czlonkowski/n8n-mcp/pull/782
- github.com/czlonkowski/n8n-mcp/releases/tag/v2.51.3
- github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-f3rg-xqjj-cj9w
- nvd.nist.gov/vuln/detail/CVE-2026-45582
Code Behaviors & Features
Detect and mitigate CVE-2026-45582 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →