CVE-2026-45582

描述

## Summary In affected versions of n8n-mcp, the workflow telemetry sanitizer could retain partial fragments of URL-shaped node parameters before sending workflow data to the project's anonymous telemetry backend. Values placed in HTTP-Request-style node parameters — such as customer or tenant identifiers, short secrets embedded in query strings, and signed request parameters — could therefore appear in stored telemetry, contrary to the collection boundary documented in `PRIVACY.md`. ## Impact Operators with access to the project's telemetry backend could read partial fragments of workflow URL parameters that should not have been collected. The bug was scoped to URL-shaped fields in workflow *definitions*; credentials, OAuth tokens, and workflow *execution* data are not affected — credentials are removed by a separate code path, and long secrets and known-provider tokens are matched by dedicated patterns. ## Patches Fixed in **n8n-mcp `2.51.3`**. Upgrading is the recommended remediation. ## Workarounds For users who cannot upgrade immediately, disable anonymous telemetry by setting any of these environment variables to `true`: - `N8N_MCP_TELEMETRY_DISABLED` - `TELEMETRY_DISABLED` - `DISABLE_TELEMETRY` ## Credit Reported by @u-ktdi.

受影響套件(1)

• npm/n8n-mcpfrom 0, < 2.51.3

CVSS 分數

參考連結(5)

• PATCHhttps://github.com/czlonkowski/n8n-mcp
• WEBhttps://github.com/czlonkowski/n8n-mcp/commit/6cf6fef653fcd6d598f2f356aac4754931c7329f
• WEBhttps://github.com/czlonkowski/n8n-mcp/pull/782
• WEBhttps://github.com/czlonkowski/n8n-mcp/releases/tag/v2.51.3
• WEBhttps://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-f3rg-xqjj-cj9w