Listen to this Post
Technical
CVE-2026-54052 is a critical vulnerability identified in n8n-mcp, affecting multi-tenant HTTP deployments where a single server instance serves multiple tenants.
The core of the issue lies in the inadequate isolation of the workflow version history feature. In affected versions (up to 2.56.0), when a workflow is updated, the system automatically creates a backup snapshot of the previous version. These backups are stored locally on the server. However, the system fails to properly scope these backups to the specific tenant that owns them.
An authenticated attacker from one tenant can exploit this lack of isolation to perform unauthorized actions on the backups of other tenants. This includes reading the full node definitions from workflow snapshots, which can contain highly sensitive data such as credential references and authorization headers. Furthermore, the attacker can delete or destroy these backups, impacting both the integrity and availability of other tenants’ data. The vulnerability is resolved in version 2.56.1, which implements proper per-instance isolation and includes a migration to clean up previously un-scoped backups.
DailyCVE Form
Platform: n8n-mcp
Version: <= 2.56.0
Vulnerability: Cross-Tenant Access
Severity: Critical
Date: 2026-07-14
Prediction: 2026-07-14
What Undercode Say
Analytics
The vulnerability stems from improper access control in a multi-tenant environment. The `workflow version history` tool did not verify tenant ownership before allowing read, delete, or destroy operations on backup snapshots. A successful exploit grants an attacker visibility into other tenants’ workflow logic and credentials, which could lead to further compromise.
Exploitation vectors
An attacker must have valid authentication as a tenant in the multi-tenant HTTP deployment. No other special privileges are required. The attack can be performed remotely over the network.
How Exploit
An attacker can exploit this vulnerability by interacting with the affected `n8n_workflow_versions` tool. While specific exploit code is not publicly detailed, the attack path involves an authenticated tenant sending crafted requests to access or manipulate workflow version backups that belong to other tenants.
Protection
- Immediate Upgrade: The primary and most effective mitigation is to upgrade to n8n-mcp version 2.56.1 or later.
- Disable Affected Tool: If an immediate upgrade is not possible, disable the vulnerable tool by setting `DISABLED_TOOLS=n8n_workflow_versions` in the server environment (e.g., in the Docker `.env` file).
- Disable Multi-Tenancy: If feasible, avoid running in multi-tenant mode. Serve each tenant from a separate instance with its own database.
- Network Restriction: Restrict network access to the HTTP endpoint to only trusted operators.
Impact
- Confidentiality: Exposure of full workflow definitions, including credential references and authorization headers from other tenants.
- Integrity: Unauthorized deletion or destruction of other tenants’ workflow version backups.
- Availability: Potential loss of workflow version history for other tenants, hindering recovery and rollback capabilities.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

