The n8n-mcp server prior to version 2.51.3 contained a vulnerability (CWE-201) where the workflow telemetry sanitizer failed to fully remove sensitive information embedded in HTTP-Request-style node parameters before sending telemetry data. This caused partial fragments of sensitive URL parameters, including customer or tenant identifiers and short secrets in query strings, to be included in telemetry sent to the anonymous backend. This behavior violates the privacy boundary defined in the project's PRIVACY.md documentation. The vulnerability is addressed by updating to version 2.51.3, which corrects the telemetry sanitizer to prevent sensitive data leakage.

Sensitive information such as customer or tenant identifiers and short secrets embedded in URL parameters could be inadvertently included in telemetry data sent to the anonymous backend. This could lead to unintended exposure of sensitive data outside the intended collection boundary. There is no indication of impact on data integrity or availability, and no known exploits in the wild have been reported.

Upgrade n8n-mcp to version 2.51.3 or later, where the telemetry sanitizer properly removes sensitive URL parameter fragments before sending telemetry data. Patch status is confirmed by the vendor advisory stating the issue is fixed in 2.51.3. No additional mitigation steps are indicated.