What happened
Prior to n8n 2.25.7 and 2.26.2, when @n8n/mcp-browser is run in HTTP transport mode, the MCP endpoint accepts session initialization and tool invocation requests without any authentication. Any network-reachable client — or any website visited by the n8n user's browser via a cross-site request — can invoke MCP tools with full n8n context. CVSS 8.8 High, published 2026-06-23.
Why it matters
n8n is a widely-deployed workflow automation platform increasingly used as an AI agent orchestrator. Unauthenticated MCP tool invocation allows attackers to trigger any n8n workflow action, read connected credentials, and execute arbitrary automations — including those with cloud service access, database writes, and external API calls.
Attack vector
HTTP request (including cross-site from attacker webpage) to unauthenticated MCP HTTP endpoint; session initialization and tool invocation accepted without credentials
Affected systems
n8n < 2.25.7 (v2.25.x) and < 2.26.2 (v2.26.x) with @n8n/mcp-browser in HTTP transport mode
Mitigation
Upgrade to n8n 2.25.7 or 2.26.2. Advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-qrx8-25qr-5r7v