CVE-2026-54052 in n8n-mcp
Summary
by MITRE • 07/15/2026
n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.56.1, in HTTP mode with multi-tenancy enabled through ENABLE_MULTI_TENANT=true, n8n-mcp's local workflow version history backups were not isolated per tenant, allowing an authenticated tenant to read workflow version snapshots belonging to other tenants and delete or destroy other tenants' stored backups, including full node definitions, credential references, and authorization headers. This issue is fixed in version 2.56.1.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/15/2026
The n8n-MCP vulnerability represents a critical multi-tenancy isolation failure that undermines the security boundaries between separate tenant environments within the n8n workflow automation platform. This flaw specifically affects deployments operating in HTTP mode with multi-tenancy enabled through the ENABLE_MULTI_TENANT=true configuration flag, creating a scenario where tenants can bypass normal access controls to access each other's data. The vulnerability stems from inadequate isolation mechanisms in the local workflow version history backup system, which fails to properly segment tenant-specific data storage and retrieval operations.
The technical implementation of this vulnerability occurs at the backup management layer where workflow version snapshots are stored locally on the server filesystem. Without proper tenant isolation, authenticated users within one tenant can exploit the shared backup storage mechanism to read, modify, or delete workflow version history data belonging to other tenants. This encompasses not only the workflow definitions themselves but also sensitive credential references and authorization headers that may be embedded within the node configurations. The flaw essentially allows for cross-tenant data leakage and potential destruction of other tenants' workflow backups.
From an operational impact perspective, this vulnerability creates significant risks for organizations using n8n-MCP in multi-tenant environments such as managed service providers or cloud deployments where multiple customers share the same infrastructure. An attacker with valid tenant credentials could access proprietary workflow logic, extract sensitive authentication information, and potentially disrupt other tenants' operations by deleting backup data. The severity is amplified because the affected data includes full node definitions that may contain business-critical automation processes and credential information that could be leveraged for further attacks.
The vulnerability aligns with CWE-284 (Improper Access Control) and represents a specific implementation failure in multi-tenancy security controls within the n8n-MCP system. It also maps to ATT&CK technique T1531 (Create or Modify System Process) as attackers could potentially modify backup files to inject malicious workflows, and T1078 (Valid Accounts) since the attack requires only legitimate tenant authentication. The fix implemented in version 2.56.1 addresses this by introducing proper tenant isolation mechanisms for local workflow version history backups, ensuring that each tenant's backup data remains completely separate from other tenants' data.
Organizations using n8n-MCP with multi-tenancy enabled should immediately upgrade to version 2.56.1 or later to remediate this vulnerability. Additionally, administrators should conduct thorough audits of existing tenant data to identify any potential unauthorized access that may have occurred. The mitigation strategy should include implementing network-level access controls and monitoring for unusual backup file access patterns that could indicate exploitation attempts. Regular security assessments of multi-tenant deployments are essential to prevent similar isolation failures in other components of the system architecture.