CVE-2026-45582
n8n-MCP: Workflow telemetry sanitizer could retain partial values from URL-shaped node parameters
Description
## Summary In affected versions of n8n-mcp, the workflow telemetry sanitizer could retain partial fragments of URL-shaped node parameters before sending workflow data to the project's anonymous telemetry backend. Values placed in HTTP-Request-style node parameters — such as customer or tenant identifiers, short secrets embedded in query strings, and signed request parameters — could therefore appear in stored telemetry, contrary to the collection boundary documented in `PRIVACY.md`. ## Impact Operators with access to the project's telemetry backend could read partial fragments of workflow URL parameters that should not have been collected. The bug was scoped to URL-shaped fields in workflow *definitions*; credentials, OAuth tokens, and workflow *execution* data are not affected — credentials are removed by a separate code path, and long secrets and known-provider tokens are matched by dedicated patterns. ## Patches Fixed in **n8n-mcp `2.51.3`**. Upgrading is the recommended remediation. ## Workarounds For users who cannot upgrade immediately, disable anonymous telemetry by setting any of these environment variables to `true`: - `N8N_MCP_TELEMETRY_DISABLED` - `TELEMETRY_DISABLED` - `DISABLE_TELEMETRY` ## Credit Reported by @u-ktdi.
How to fix CVE-2026-45582
To remediate CVE-2026-45582, upgrade the affected package to a fixed version below.
- —upgrade to 2.51.3 or later
Is CVE-2026-45582 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2.51.3