Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-45582 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
In affected versions of n8n-mcp, the workflow telemetry sanitizer could retain partial fragments of URL-shaped node parameters before sending workflow data to the project's anonymous telemetry backend. Values placed in HTTP-Request-style node parameters — such as customer or tenant identifiers, short secrets embedded in query strings, and signed request parameters — could therefore appear in stored telemetry, contrary to the collection boundary documented in PRIVACY.md.
Operators with access to the project's telemetry backend could read partial fragments of workflow URL parameters that should not have been collected. The bug was scoped to URL-shaped fields in workflow definitions; credentials, OAuth tokens, and workflow execution data are not affected — credentials are removed by a separate code path, and long secrets and known-provider tokens are matched by dedicated patterns.
Fixed in n8n-mcp 2.51.3. Upgrading is the recommended remediation.
For users who cannot upgrade immediately, disable anonymous telemetry by setting any of these environment variables to true:
N8N_MCP_TELEMETRY_DISABLEDTELEMETRY_DISABLEDDISABLE_TELEMETRYReported by @u-ktdi.
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.