n8n: MCP Browser HTTP Transport Exposes Unauthenticated Browser-Control Sessions

Vulnerability

When @n8n/mcp-browser is run with the HTTP transport (--transport http), the MCP endpoint accepts session initialization and tool invocation requests without any authentication. This affects all versions prior to n8n 2.25.7 and 2.26.2. The default stdio transport is not affected [1][2].

Exploitation

Any network-reachable client, or any website visited by the user (if the browser can reach the HTTP endpoint), can establish an MCP session and invoke browser-control tools without requiring any credentials or prior authentication. The attack does not require user interaction beyond the browser being connected and the extension active [1][2].

Impact

An unauthenticated caller can access browser-control capabilities including navigation, JavaScript evaluation, and cookie and storage access against the user's real browser profile, if the n8n AI Browser Bridge extension is installed and a browser connection is active. This results in high confidentiality, integrity, and availability impact as per CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L [1][2].

Mitigation

The vulnerability has been fixed in n8n versions 2.25.7 and 2.26.2. Users should upgrade to one of these versions or later. If upgrading is not immediately possible, administrators should avoid running @n8n/mcp-browser with the HTTP transport; if HTTP transport is required, restrict network access to the listening port using host-based firewall rules. These workarounds do not fully remediate the risk and should only be used as short-term measures [1][2].