n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.2, when ENABLEMULTITENANT=true, the HTTP transport documents that the target n8n instance is selected per-request from x-n8n-url / x-n8n-key headers. Requests that omitted those headers — or supplied only one of them — silently fell back to the process-level N8NAPIURL / N8NAPIKEY credentials configured for the operator's own n8n instance. As a result, an authenticated MCP tenant could cause n8n management calls to execute against the operator's instance instead of its own. This affects HTTP-mode deployments of n8n-mcp that are run as a shared multi-tenant service. Single-tenant deployments (ENABLEMULTITENANT unset or false) are not affected. This vulnerability is fixed in 2.51.2.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45707.json",
"cwe_ids": [
"CWE-284"
],
"cna_assigner": "GitHub_M"
}{
"source": [
"AFFECTED_FIELD",
"CPE_RANGE",
"REFERENCES"
],
"cpe": "cpe:2.3:a:n8n-mcp:n8n-mcp:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "2.51.2"
}
]
}