Improper Access Control
CVE-2026-45707
Summary
A vulnerability has been found in n8n-mcp versions prior to 2.51.2. When `ENABLE_MULTI_TENANT=true`, the HTTP transport documents that the target n8n instance is selected per-request from `x-n8n-url` / `x-n8n-key` headers. Requests that omitted those headers -- or supplied only one of them silently fell back to the process-level `N8N_API_URL` / `N8N_API_KEY` credentials configured for the operator's own n8n instance. As a result, an authenticated MCP tenant could cause n8n management calls to execute against the operator's instance instead of its own. This affects HTTP-mode deployments of n8n-mcp that are run as a shared multi-tenant service. Single-tenant deployments ('ENABLE_MULTI_TENANT' unset or 'false') are not affected.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- LOW
- HIGH
- NONE
CWE-284 - Improper Access Control
Listed 5th in the 'OWASP Top Ten', improper (or broken) access control attacks are a fundamental type of vulnerability. This includes a broad range of design flaws that enable users to act outside of their intended permissions. They can use these privileges to gain access to restricted files and functionality such as accessing restricted information, falsifying records, destroying data, or executing commands.
References
Advisory Timeline
- Published
