Missing Authentication for Critical Function Affecting n8n-mcp package, versions <2.47.6

Q: How to fix?

Upgrade n8n-mcp to version 2.47.6 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Missing Authentication for Critical Function vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-JS-N8NMCP-15995501
published12 Apr 2026
disclosed10 Apr 2026
credityotampe-pluto

Report a new vulnerability Found a mistake?

Introduced: 10 Apr 2026

NewCWE-306 (opens in a new tab)

How to fix?

Upgrade n8n-mcp to version 2.47.6 or higher.

Overview

n8n-mcp is an Integration between n8n workflow automation and Model Context Protocol (MCP)

Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to missing authentication in several HTTP transport endpoints and exposure of sensitive operational metadata in the health check endpoint. An attacker can terminate active sessions and obtain information useful for further attacks by sending unauthenticated requests to the affected endpoints.

Workaround

This vulnerability can be mitigated by restricting network access to the HTTP server using firewall rules, reverse proxy IP allowlists, or a VPN, or by using stdio mode (MCP_MODE=stdio) instead of HTTP mode.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
None
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None