Skip to content

n8n-MCP: Cross-tenant access to workflow version backups in multi-tenant HTTP deployments

Critical severity GitHub Reviewed Published Jun 3, 2026 in czlonkowski/n8n-mcp • Updated Jul 14, 2026

Package

npm n8n-mcp (npm)

Affected versions

<= 2.56.0

Patched versions

2.56.1

Description

Impact

In multi-tenant HTTP deployments — where a single n8n-mcp server serves several tenants — the locally stored workflow version history (the automatic backups taken before workflow updates) was not isolated per tenant. An authenticated tenant could read workflow version snapshots belonging to other tenants, and could delete or destroy other tenants' stored backups.

A stored snapshot includes full node definitions, so the exposed data can contain credential references and authorization headers configured on nodes. This is therefore a confidentiality issue in addition to an integrity/availability one.

Affected configurations

  • HTTP mode with multi-tenancy enabled (ENABLE_MULTI_TENANT=true), where multiple tenants are served by a single shared instance and database.

Not affected:

  • stdio / single-user deployments (e.g. Claude Desktop).
  • Single-tenant HTTP deployments (one tenant per instance and database).

Affected versions

<= 2.56.0

Patched version

2.56.1. The stored version history is now isolated per instance, so a tenant can only access its own backups. Upgrading runs a one-time migration that isolates existing history and clears previously stored, un-scoped backups (these are auto-created, short-retention backups).

Workarounds

If users cannot upgrade immediately:

  • Disable the workflow version tool by setting DISABLED_TOOLS=n8n_workflow_versions in the server environment (for example, in your Docker .env). This removes the affected tool from the deployment for all tenants; automatic backups are unaffected, but the cross-tenant access path is closed.
  • Alternatively, do not run in multi-tenant mode — serve each tenant from a separate instance with its own database, so no local store is shared between tenants.
  • Restrict network access to the HTTP endpoint to trusted operators.

stdio and single-tenant HTTP deployments are not affected.

Credit

Reported by Francisco Rosales (@0xmagic0) and coordinated by Ax Sharma (@axsharma) of Manifold Security.

References

@czlonkowski czlonkowski published to czlonkowski/n8n-mcp Jun 3, 2026
Published to the GitHub Advisory Database Jul 14, 2026
Reviewed Jul 14, 2026
Last updated Jul 14, 2026

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(13th percentile)

Weaknesses

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. Learn more on MITRE.

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action. Learn more on MITRE.

CVE ID

CVE-2026-54052

GHSA ID

GHSA-j6r7-6fhx-77wx

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.