VYPR

npm package

n8n-mcp

pkg:npm/n8n-mcp

Vulnerabilities (5)

  • CVE-2026-44694CriMay 8, 2026
    affected >= 2.18.7, < 2.50.2fixed 2.50.2

    n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. From version 2.18.7 to before version 2.50.2, there is an authenticated server-side request forgery vulnerability affecting the webhook trigger tools, the n8n API cl

  • CVE-2026-42282MedMay 8, 2026
    affected < 2.47.13fixed 2.47.13

    n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to version 2.47.13, when n8n-mcp runs in HTTP transport mode, authenticated MCP tools/call requests had their full arguments and JSON-RPC params written to ser

  • CVE-2026-41495MedMay 8, 2026
    affected < 2.47.11fixed 2.47.11

    n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to version 2.47.11, when n8n-mcp runs in HTTP transport mode, incoming requests to the POST /mcp endpoint had their request metadata written to server logs reg

  • CVE-2026-42449HigMay 7, 2026
    affected >= 2.47.4, < 2.47.14fixed 2.47.14

    n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. In versions 2.47.4 through 2.47.13, the SDK embedder path (N8NDocumentationMCPServer constructor, getN8nApiClient(), and validateInstanceContext()), the synchronous

  • CVE-2026-39974HigApr 9, 2026
    affected < 2.47.4fixed 2.47.4

    n8n-MCP is a Model Context Protocol (MCP) server that provides AI assistants with comprehensive access to n8n node documentation, properties, and operations. Prior to 2.47.4, an authenticated Server-Side Request Forgery in n8n-mcp allows a caller holding a valid AUTH_TOKEN to cau