SCA: security update for n8n-mcp (GHSA-wg4g-395p-mqv3)

medium Tenable Self-Hosted Container Security Plugin ID 440894

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and
operations. Prior to version 2.47.13, when n8n-mcp runs in HTTP transport mode, authenticated MCP
tools/call requests had their full arguments and JSON-RPC params written to server logs by the request
dispatcher and several sibling code paths before any redaction. When a tool call carries credential
material — most notably n8n_manage_credentials.data — the raw values can be persisted in logs. In
deployments where logs are collected, forwarded to external systems, or viewable outside the request trust
boundary (shared log storage, SIEM pipelines, support/ops access), this can result in disclosure of:
bearer tokens and OAuth credentials sent through n8n_manage_credentials, per-tenant API keys and webhook
auth headers embedded in tool arguments, arbitrary secret-bearing payloads passed to any MCP tool. The
issue requires authentication (AUTH_TOKEN accepted by the server), so unauthenticated callers cannot
trigger it; the runtime exposure is also reduced by an existing console-silencing layer in HTTP mode, but
that layer is fragile and the values are still constructed and passed into the logger. This issue has been
patched in version 2.47.13. (CVE-2026-42282)

Solution

Update the n8n-mcp library and its related packages to version 2.47.13 or later.

See Also

https://github.com/advisories/GHSA-wg4g-395p-mqv3

Plugin Details

Severity: Medium

ID: 440894

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 4/26/2026

Updated: 7/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2026-42282

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/25/2026

Vulnerability Publication Date: 4/25/2026

Reference Information

CVE: CVE-2026-42282

cwe: CWE-532