n8n-MCP Incorrect Authorization Vulnerability (CVE-2026-55608) -DC-Jul2026-975

Listen to this Post

CVE ID: CVE-2026-55608

How the Vulnerability Works

n8n-mcp is an MCP (Model Context Protocol) server that acts as a proxy to the n8n REST API, providing AI assistants with access to n8n node documentation, properties, and operations. The server supports a multi-tenant HTTP mode when the environment variable `ENABLE_MULTI_TENANT` is set to true. In this mode, the server is designed to route requests to specific tenant-scoped n8n instances based on authentication headers provided by clients.
The vulnerability, identified as CVE-2026-55608, resides in the authorization logic governing access to `workflow_versions` backups. n8n-mcp maintains a local storage mechanism for workflow-version backups. In a correctly functioning multi-tenant environment, each tenant should be strictly confined to its own scope, preventing one tenant from accessing the data of another.
However, in versions prior to 2.57.4, an authorization flaw exists. When the server processes a request for workflow-version backups, it fails to properly enforce tenant isolation under certain conditions. Specifically, an authenticated tenant can, under specific circumstances, reach the default-scope `workflow_versions` backups instead of being restricted to its own tenant-scoped backups. This default scope typically contains backups from a prior single-tenant deployment or from a migration period.
The root cause is an incorrect authorization check that does not consistently require a complete tenant context. The server, in these flawed versions, may fall back to serving the default-scope backups when tenant context is incomplete or missing, rather than failing securely (failing closed). This effectively bypasses the intended multi-tenant isolation, allowing a malicious or compromised tenant to read or delete workflow-version snapshots belonging to the default scope.
This vulnerability affects only the n8n-mcp server’s own local workflow-version storage and is not a vulnerability in the n8n API itself. Deployments running in single-tenant mode or using the stdio transport are not affected, as the multi-tenant HTTP attack surface is not present in those configurations.

DailyCVE Form

| Field | Value |

| : | : |

| Platform | n8n-mcp |

| Version | <= 2.57.3 |

| Vulnerability | Incorrect Authorization |

| Severity | Medium (CVSS 4.2) |

| Date | 2026-07-14 |

| Prediction | 2026-07-14 (Patched) |

What Undercode Say: Analytics

Analysis of CVE-2026-55608 reveals a classic case of broken object-level authorization (BOLA) within a multi-tenant architecture. The vulnerability is not a complex logic flaw but rather a failure to consistently validate the tenant context for a specific resource type (workflow_versions). The fix, implemented in version 2.57.4, enforces a strict “fail closed” policy, ensuring that any request for workflow-version backups that cannot be definitively attributed to a specific tenant is rejected. The following analytical commands can be used to audit a system for this vulnerability:

Check n8n-mcp Version:

Check the installed version of n8n-mcp
npm list n8n-mcp

Inspect Multi-Tenant Configuration:

Check if multi-tenant mode is enabled
echo $ENABLE_MULTI_TENANT

Audit for Default-Scope Backups:

Locate the local workflow_versions storage directory (default location)
find /path/to/n8n-mcp/storage -name "workflow_versions"

Exploit

An attacker exploiting this vulnerability would need to meet the following prerequisites:
1. Authenticated Access: The attacker must possess valid credentials (e.g., a valid `AUTH_TOKEN` or `x-n8n-key` header) to authenticate with the n8n-mcp HTTP server.
2. Multi-Tenant HTTP Mode: The n8n-mcp server must be running in multi-tenant HTTP mode with ENABLE_MULTI_TENANT=true.
3. Default-Scope Backups: The server must have default-scope `workflow_versions` backups present, for example, from a prior single-tenant deployment or migration.
Once these conditions are met, an attacker could craft a request to access or delete workflow-version backups. The exact request would target the endpoint responsible for managing workflow versions, manipulating parameters or headers to trigger the fallback to the default scope. The impact is the unauthorized reading or deletion of workflow snapshots, which may contain sensitive workflow configurations, credentials, or business logic.

Protection

Protecting against CVE-2026-55608 involves the following actions:

  1. Immediate Upgrade: The primary and most effective mitigation is to upgrade n8n-mcp to version 2.57.4 or later. This version contains the official patch that corrects the authorization logic.
  2. Network Restriction: If an immediate upgrade is not possible, restrict network access to the n8n-mcp HTTP endpoint using a firewall, reverse proxy, or VPN. This limits the attack surface to only trusted callers.
  3. Switch to stdio Mode: Run n8n-mcp in stdio mode (the default transport) by not enabling HTTP mode. This completely removes the multi-tenant HTTP surface and thus the vulnerability.
  4. Remove Unused Backups: If default-scope backups from a prior single-tenant deployment are no longer needed, remove them to eliminate the exposure.

Impact

  • Confidentiality Breach: An attacker can read workflow-version backups from the default scope. These backups may contain sensitive information, including workflow configurations, API keys, credentials, and other business-critical data.
  • Data Loss: An attacker with the ability to read backups may also be able to delete them, leading to permanent loss of workflow version history.
  • Privilege Escalation: While the vulnerability does not grant direct administrative access to the n8n API, the information leaked from workflow backups could be used to escalate privileges or launch further attacks against the n8n instance or connected systems.
  • Limited Scope: The vulnerability is confined to the n8n-mcp server’s local storage and does not affect the n8n API itself. Single-tenant and stdio deployments are not impacted.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top