Listen to this Post
How the vulnerability works (around 20 lines):
- The n8n-mcp HTTP server exposed several transport endpoints without any authentication.
- Endpoints like
/sessions,/messages, and health check lacked Bearer token validation. - An unauthenticated attacker could send crafted HTTP requests to these endpoints.
- The health check endpoint returned sensitive operational metadata (e.g., session IDs, internal config).
- By enumerating active session IDs, the attacker could target specific MCP sessions.
- The attacker could send `DELETE /sessions/{id}` to terminate any active session.
- This caused denial of service for legitimate users relying on those MCP sessions.
- The attacker could also inject malformed messages into existing sessions via POST.
- The lack of origin or CSRF protection made cross-site attacks possible if the server was web-accessible.
- The stdio mode (
MCP_MODE=stdio) was not vulnerable because it uses local pipes, not HTTP. - The vulnerability stemmed from the assumption that the HTTP server would run only on localhost.
- However, many deployments exposed the HTTP port (default 5678) to the network.
- The health endpoint leaked metrics like
num_active_sessions,uptime, andversion. - This information helps an attacker plan further exploits or target specific versions.
- The fix in v2.47.6 adds mandatory Bearer authentication to all MCP session endpoints.
- The health check now returns only `{“status”:”ok”}` with no metadata.
- No default credentials were set, so prior to patch any request was authorized.
- The vulnerability is classified as broken access control (CWE-284) and information exposure (CWE-200).
- Attack complexity is low – only requires network access and basic HTTP knowledge.
- No user interaction is needed, making it remotely exploitable.
dailycve form:
Platform: n8n-mcp HTTP
Version: before 2.47.6
Vulnerability: Auth bypass, info
Severity: Medium
date: 2026-04-11
Prediction: Already patched (v2.47.6)
(end of form)
What Undercode Say:
Check if vulnerable (replace <target> with IP:port)
curl -v http://<target>:5678/health
If response contains metadata like "active_sessions", it's vulnerable
Enumerate active sessions (pre-patch)
curl http://<target>:5678/sessions
Terminate a session (DoS)
curl -X DELETE http://<target>:5678/sessions/<session_id>
Fixed version health check (safe)
curl http://<target>:5678/health
Expected: {"status":"ok"}
Set Bearer token after upgrade
curl -H "Authorization: Bearer your_token" http://<target>:5678/sessions
Exploit:
- Identify target running n8n-mcp HTTP mode (default port 5678).
- Send `GET /health` – if returns session count or internal paths, proceed.
- Send `GET /sessions` to list active session IDs (if not patched).
- For each session ID, send `DELETE /sessions/
` to disrupt connections. - Optionally, send `POST /sessions/
/messages` with arbitrary data to corrupt state. - No authentication required – all requests succeed on vulnerable versions.
Protection from this CVE:
- Upgrade to n8n-mcp v2.47.6 or later immediately.
- If upgrade not possible, set `MCP_MODE=stdio` (no HTTP exposure).
- Restrict network access: use firewall rules to allow only trusted IPs.
- Place HTTP server behind a reverse proxy with HTTP basic auth.
- Run the server on localhost only and use SSH tunneling for remote access.
- Monitor logs for unauthorized access to `/health` or `/sessions` endpoints.
Impact:
- Unauthenticated attackers can terminate any active MCP session (DoS).
- Attackers can gather sensitive operational metadata (session IDs, version, uptime).
- Metadata enables targeted follow-up attacks or reconnaissance.
- Disruption of MCP-based automation and workflows relying on n8n.
- No data tampering or code execution, but high availability impact.
- CVSS v3 base score approximately 5.3 (Medium) – network exploitable, low complexity.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

