n8n-mcp, Authentication Bypass and Information Disclosure, No CVE (Medium)

Listen to this Post

How the vulnerability works (around 20 lines):

  1. The n8n-mcp HTTP server exposed several transport endpoints without any authentication.
  2. Endpoints like /sessions, /messages, and health check lacked Bearer token validation.
  3. An unauthenticated attacker could send crafted HTTP requests to these endpoints.
  4. The health check endpoint returned sensitive operational metadata (e.g., session IDs, internal config).
  5. By enumerating active session IDs, the attacker could target specific MCP sessions.
  6. The attacker could send `DELETE /sessions/{id}` to terminate any active session.
  7. This caused denial of service for legitimate users relying on those MCP sessions.
  8. The attacker could also inject malformed messages into existing sessions via POST.
  9. The lack of origin or CSRF protection made cross-site attacks possible if the server was web-accessible.
  10. The stdio mode (MCP_MODE=stdio) was not vulnerable because it uses local pipes, not HTTP.
  11. The vulnerability stemmed from the assumption that the HTTP server would run only on localhost.
  12. However, many deployments exposed the HTTP port (default 5678) to the network.
  13. The health endpoint leaked metrics like num_active_sessions, uptime, and version.
  14. This information helps an attacker plan further exploits or target specific versions.
  15. The fix in v2.47.6 adds mandatory Bearer authentication to all MCP session endpoints.
  16. The health check now returns only `{“status”:”ok”}` with no metadata.
  17. No default credentials were set, so prior to patch any request was authorized.
  18. The vulnerability is classified as broken access control (CWE-284) and information exposure (CWE-200).
  19. Attack complexity is low – only requires network access and basic HTTP knowledge.
  20. No user interaction is needed, making it remotely exploitable.

dailycve form:

Platform: n8n-mcp HTTP
Version: before 2.47.6
Vulnerability: Auth bypass, info
Severity: Medium
date: 2026-04-11

Prediction: Already patched (v2.47.6)

(end of form)

What Undercode Say:

Check if vulnerable (replace <target> with IP:port)
curl -v http://<target>:5678/health
If response contains metadata like "active_sessions", it's vulnerable
Enumerate active sessions (pre-patch)
curl http://<target>:5678/sessions
Terminate a session (DoS)
curl -X DELETE http://<target>:5678/sessions/<session_id>
Fixed version health check (safe)
curl http://<target>:5678/health
Expected: {"status":"ok"}
Set Bearer token after upgrade
curl -H "Authorization: Bearer your_token" http://<target>:5678/sessions

Exploit:

  1. Identify target running n8n-mcp HTTP mode (default port 5678).
  2. Send `GET /health` – if returns session count or internal paths, proceed.
  3. Send `GET /sessions` to list active session IDs (if not patched).
  4. For each session ID, send `DELETE /sessions/` to disrupt connections.
  5. Optionally, send `POST /sessions//messages` with arbitrary data to corrupt state.
  6. No authentication required – all requests succeed on vulnerable versions.

Protection from this CVE:

  • Upgrade to n8n-mcp v2.47.6 or later immediately.
  • If upgrade not possible, set `MCP_MODE=stdio` (no HTTP exposure).
  • Restrict network access: use firewall rules to allow only trusted IPs.
  • Place HTTP server behind a reverse proxy with HTTP basic auth.
  • Run the server on localhost only and use SSH tunneling for remote access.
  • Monitor logs for unauthorized access to `/health` or `/sessions` endpoints.

Impact:

  • Unauthenticated attackers can terminate any active MCP session (DoS).
  • Attackers can gather sensitive operational metadata (session IDs, version, uptime).
  • Metadata enables targeted follow-up attacks or reconnaissance.
  • Disruption of MCP-based automation and workflows relying on n8n.
  • No data tampering or code execution, but high availability impact.
  • CVSS v3 base score approximately 5.3 (Medium) – network exploitable, low complexity.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top