CVE-2026-55608
n8n-MCP: Incorrect authorization can expose default-scope workflow version backups in multi-tenant HTTP mode
CVSS Score
4.2
EPSS Score
0.0%
EPSS Percentile
0th
n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.57.4, multi-tenant HTTP mode with ENABLE_MULTI_TENANT=true could allow an authenticated tenant to access default-scope workflow_versions backups instead of being confined to the tenant scope, exposing or deleting workflow-version backups from prior single-tenant deployments or migrations. This issue is fixed in version 2.57.4.
| CWE | CWE-200 CWE-863 |
| Vendor | czlonkowski |
| Product | n8n-mcp |
| Published | Jul 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for czlonkowski n8n-mcp
Be the first to know when new medium vulnerabilities affecting czlonkowski n8n-mcp are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
czlonkowski / n8n-mcp
< 2.57.4