Listen to this Post
This CVE stems from a logging flaw when `n8n-mcp` runs in HTTP transport mode. An authenticated MCP `tools/call` request has its full JSON-RPC arguments written to server logs by the request dispatcher and other code paths before any redaction can occur. The critical issue is that if a tool call includes sensitive data—like the `n8n_manage_credentials.data` field containing raw credentials, bearer tokens, or API keys—that secret material is persisted directly into the log file. An attacker who has authenticated with a valid `AUTH_TOKEN` can therefore trigger a `tools/call` request, and if they gain access to the server logs (via shared storage, SIEM tools, or support access), they can extract these secrets. Although the HTTP mode includes a console-silencing layer intended to reduce exposure, that layer is fragile; the values are still constructed and passed to the logger until the underlying function call chain completes. The `stdio` transport is not affected because its execution path short-circuits the vulnerable log calls. The patch resolves the issue by routing tool-call arguments through a metadata-only summarizer (summarizeToolCallArgs) which records only the type, top-level key names, and approximate size—never the actual values. This same pattern was previously adopted for HTTP request bodies in a related advisory (GHSA-pfm2-2mhg-8wpx).
DailyCVE Form
- Platform: Node.js (npm)
- Version: v2.47.12 earlier
- Vulnerability: Credential leak logs
- Severity: Medium (4.3)
- date: 2026-04-21
- Prediction: Upgrade immediately (v2.47.13+)
What Undercode Say:
Check for vulnerable HTTP transport mode
grep -E "MCP_MODE=http" .env
Simulate a tool call that would leak credentials
curl -X POST http://localhost:3000/mcp -H "Authorization: Bearer $AUTH_TOKEN" -H "Content-Type: application/json" -d '{"jsonrpc":"2.0","method":"tools/call","params":{"name":"n8n_manage_credentials","arguments":{"data":"secret123"}}}'
Examine logs for leaked data
journalctl -u n8n-mcp | grep "n8n_manage_credentials.data"
Exploit:
An authenticated attacker can send a crafted `tools/call` request containing arbitrary sensitive data, such as a credential object. Because the logger serializes the entire JSON-RPC payload without redaction, the plaintext secret is written to the log file. The attacker can then access those logs through misconfigured SIEM pipelines, shared log viewers, or support dashboards to harvest bearer tokens, OAuth secrets, and per-tenant API keys. While the authentication requirement reduces the pool of potential attackers, any credential that can log in becomes a lead for lateral movement within the environment.
Protection from this CVE
- Upgrade immediately to `n8n-mcp` version `2.47.13` or later.
- Switch to `stdio` transport by setting `MCP_MODE=stdio` (the default for CLI invocation), which bypasses the affected log calls entirely.
- Restrict network access to the HTTP port (use a firewall, reverse proxy, or VPN) so only trusted clients can authenticate.
- Tighten access to server log storage (avoid sharing logs across trust boundaries, restrict support/ops read permissions) until the upgrade is applied.
Impact
Exploitation leads to unauthorized disclosure of sensitive information with a CVSS score of 4.3 (Medium). An attacker with valid credentials could view plaintext credentials, OAuth tokens, API keys, and other secrets that are passed as arguments to MCP tools. In environments where logs are aggregated into a SIEM or made accessible to operators, this information can be exfiltrated and used for further account compromise or lateral movement. The attack is network-based, has low complexity, requires low privileges, and results in a limited confidentiality impact with no effect on integrity or availability.
References
- Advisory: GHSA-wg4g-395p-mqv3
- CWE: CWE-532 – Insertion of Sensitive Information into Log File
- CVSS: 4.3 Medium (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
- Fixed Version: v2.47.13 (npm/docker)
- Credit: @Mirr2 (Organization / Jormungandr)
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

