CVE-2026-49357

CVE-2026-49357 affects line-desktop-mcp (LINE Desktop MCP). In --http-mode, the MCP server binds to 0.0.0.0 and exposes the /mcp endpoint without MCP authentication, enabling any network client on the port to initialize a session, list tools, and call tools that read LINE Desktop chat history or ...

CVE-2026-45707

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.2, when ENABLEMULTITENANT=true, the HTTP transport documents that the target n8n instance is selected per-request from x-n8n-url / x-n8n-key headers. Requests that...

CVE-2026-45707

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.2, when ENABLEMULTITENANT=true, the HTTP transport documents that the target n8n instance is selected per-request from x-n8n-url / x-n8n-key headers. Requests that...

Failing Open

Overview n8n-mcp is an Integration between n8n workflow automation and Model Context Protocol MCP Affected versions of this package are vulnerable to Failing Open when handing multi-tenant HTTP requests ENABLEMULTITENANT=true containing one or neither of the x-n8n-url and x-n8n-key headers. An...

CVE-2026-42282 n8n-MCP: Sensitive MCP tool-call arguments logged on authenticated requests in HTTP mode

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to version 2.47.13, when n8n-mcp runs in HTTP transport mode, authenticated MCP tools/call requests had their full arguments and JSON-RPC params written to server logs by the...

CVE-2026-42282

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to version 2.47.13, when n8n-mcp runs in HTTP transport mode, authenticated MCP tools/call requests had their full arguments and JSON-RPC params written to server logs by the...

CVE-2026-42282

Summary: The CVE concerns n8n-mcp (MCP server) logging sensitive tool-call arguments on authenticated HTTP requests. Affected in HTTP transport mode prior to version 2.47.13, where full arguments and JSON‑RPC params could be written to server logs, exposing credentials and secret-bearing data (e....

CVE-2026-41495

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to version 2.47.11, when n8n-mcp runs in HTTP transport mode, incoming requests to the POST /mcp endpoint had their request metadata written to server logs regardless of the...

n8n-MCP: Sensitive MCP tool-call arguments logged on authenticated requests in HTTP mode

Impact When n8n-mcp runs in HTTP transport mode, authenticated MCP tools/call requests had their full arguments and JSON-RPC params written to server logs by the request dispatcher and several sibling code paths before any redaction. When a tool call carries credential material — most notably...

GHSA-WG4G-395P-MQV3 n8n-MCP: Sensitive MCP tool-call arguments logged on authenticated requests in HTTP mode

Impact When n8n-mcp runs in HTTP transport mode, authenticated MCP tools/call requests had their full arguments and JSON-RPC params written to server logs by the request dispatcher and several sibling code paths before any redaction. When a tool call carries credential material — most notably...

CVE-2026-39974

CVE-2026-39974 affects the n8n-mcp component (Model Context Protocol server). In multi-tenant HTTP mode, an authenticated caller with a valid AUTH_TOKEN can trigger SSRF to arbitrary URLs supplied via per-request headers (instance-URL headers). The server reflects HTTP responses back through JSON...

CVE-2026-39974 n8n-MCP has an Authenticated SSRF via instance-URL header in multi-tenant HTTP mode

n8n-MCP is a Model Context Protocol MCP server that provides AI assistants with comprehensive access to n8n node documentation, properties, and operations. Prior to 2.47.4, an authenticated Server-Side Request Forgery in n8n-mcp allows a caller holding a valid AUTHTOKEN to cause the server to iss...

CVE-2025-59155

hackmd-mcp is a Model Context Protocol server for integrating HackMD's note-taking platform with AI assistants. From 1.4.0 to before 1.5.0, hackmd-mcp contains a server-side request forgery SSRF vulnerability when the server is run in HTTP transport mode. Arbitrary hackmdApiUrl values supplied vi...