Snyk Security Database

n8n-mcp is an Integration between n8n workflow automation and Model Context Protocol (MCP)

Affected versions of this package are vulnerable to Failing Open when handing multi-tenant HTTP requests (ENABLE_MULTI_TENANT=true) containing one or neither of the x-n8n-url and x-n8n-key headers. An operator can gain unauthorized access to workflows, executions, data-table contents, and credential metadata, and potentially escalate privileges to execute arbitrary code within the operator's environment because the absence of these headers falls back to associating the request with process-level credentials. This is only exploitable if the deployment is running in HTTP mode.

modelscope is a ModelScope: bring the notion of Model-as-a-Service to life.

Affected versions of this package are vulnerable to Arbitrary Code Execution from the pipeline interface. There, a user can supply a malicious model that loads arbitrary modules via an acoustic-echo-cancellation task.

org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Insufficient Granularity of Access Control in the getMembers() methods that serve the group members endpoint. An admin user with delegated access to read group memberships and users can read user profile attributes that are explicitly configured to be denied by using their delegated administrative access to expose those values over the group membership API.