n8n-MCP HTTP Transport Mode Logging Vulnerability Exposing Sensitive Data

A vulnerability in n8n-MCP versions through 2.47.10 allows sensitive request metadata to be logged when the server is running in HTTP transport mode. This logging occurs on incoming POST /mcp requests, regardless of authentication status. As a result, bearer tokens from the Authorization header, per-tenant API keys from the x-n8n-key header in multi-tenant environments, and JSON-RPC request payloads sent to the MCP endpoint can be inadvertently disclosed. While access control was properly enforced by rejecting unauthenticated requests with a 401 status, the sensitive information from these rejected requests was still logged.

Impact

This vulnerability leads to the unintentional logging of sensitive information, such as bearer tokens, per-tenant API keys, and JSON-RPC request payloads, which can be accessed through shared log storage or external systems.

Remediation

Users can upgrade to n8n-MCP version 2.47.11 or later. For those unable to upgrade immediately, it's recommended to restrict network access to the HTTP port or switch to the stdio transport mode, which does not expose an HTTP interface.