Files
wehub-resource-sync 409e92d6ae
Dependency Compatibility Check / Fresh Install Dependency Check (push) Waiting to run
Build and Publish n8n Docker Image / test-image (push) Blocked by required conditions
Build and Publish n8n Docker Image / build-and-push (push) Waiting to run
Build and Publish n8n Docker Image / create-release (push) Blocked by required conditions
Build and Push Docker Images / Build Docker Image (push) Has been cancelled
Build and Push Docker Images / Build Railway Docker Image (push) Has been cancelled
Automated Release / Detect Version Change (push) Waiting to run
Automated Release / Generate Release Notes (push) Blocked by required conditions
Automated Release / Create GitHub Release (push) Blocked by required conditions
Automated Release / Package MCPB Bundle (push) Blocked by required conditions
Automated Release / Build and Verify (push) Blocked by required conditions
Automated Release / Publish to NPM (push) Blocked by required conditions
Automated Release / Build and Push Docker Images (push) Blocked by required conditions
Secret Scan / secretlint (push) Waiting to run
Test Suite / test (push) Waiting to run
Test Suite / cjs-runtime (push) Waiting to run
Test Suite / publish-results (push) Blocked by required conditions
Automated Release / Update Documentation (push) Blocked by required conditions
Automated Release / Notify Release Completion (push) Blocked by required conditions
chore: import upstream snapshot with attribution
2026-07-13 12:41:06 +08:00

1.7 KiB

Security Policy

Reporting Vulnerabilities

If you discover a security vulnerability in n8n-mcp, please report it through GitHub's private vulnerability reporting. Do not create public issues for security vulnerabilities.

Supported Versions

Only the latest release receives security patches. We recommend always running the latest version.

Response Process

  1. We will acknowledge your report within 72 hours
  2. We will investigate and determine severity
  3. If confirmed, we will develop and release a fix
  4. We will credit reporters in the advisory (unless they prefer otherwise)

For the full incident response process, see our Incident Response Plan.

Scope

n8n-mcp is a proxy to the n8n REST API. The security boundary is n8n itself, not n8n-mcp. Reports about capabilities that are inherent to the n8n API (e.g., creating workflows with Code nodes) are out of scope, as n8n-mcp does not grant any capability beyond what the n8n API already provides.

In-scope examples:

  • Authentication bypass in the MCP HTTP transport
  • Information disclosure (credential leaks, token exposure)
  • Injection vulnerabilities in n8n-mcp's own code
  • Dependency vulnerabilities with a viable exploit path

Out-of-scope examples:

  • n8n platform capabilities accessible through any n8n API client
  • General LLM prompt injection risks (these affect all MCP servers equally)
  • Denial of service through normal API usage

For deployment hardening guidance, see the Security & Hardening guide. For the STRIDE threat model, see docs/THREAT_MODEL.md.