What happened
n8n-mcp, an MCP server giving AI assistants access to n8n node documentation and operations, failed to isolate workflow-version backup storage per tenant in its multi-tenant HTTP deployment mode, exposing other tenants' stored credential references and authorization headers.
Why it matters
n8n-mcp lets AI agents operate n8n automation workflows; a cross-tenant break in a shared MCP deployment can leak API credentials and let one tenant destroy another's automation history, a serious confidentiality and integrity failure for multi-tenant agentic automation platforms.
Attack vector
In HTTP mode with multi-tenancy enabled, local workflow version-history backups were stored without per-tenant isolation, letting an authenticated tenant read, delete, or destroy other tenants' stored workflow snapshots — which include full node definitions such as credential references and authorization headers.
Affected systems
n8n-mcp prior to 2.56.1
Mitigation
Upgrade to n8n-mcp 2.56.1 or later.