Community
Classroom
Calendar
Members
Map
Leaderboards
About
17d • 🧠 AI Signals
Your MCP server might be writing credentials to its logs.
Last week's n8n-MCP patch (https://nvd.nist.gov/vuln/detail/CVE-2026-42282) made it concrete: in HTTP mode, every credential passed through a tool call was being written to the server's logs in plaintext, before any redaction kicked in. Bearer tokens, OAuth creds, API keys — all sitting wherever your logs end up, readable by anyone with log access.
Fixed in v2.47.13. Update if you're running it.
But the thing I keep sitting with isn't this one CVE. It's the pattern underneath it.
MCP tool calls move data through a part of the stack ops teams have been treating as "just logs" forever - SIEM ingestion, log aggregators, shared cold storage. None of that infrastructure knows the difference between a debug message and a credential. It just stores whatever shows up.
And the MCP spec, as it stands, has no way to tag a tool argument as *this is a secret, don't log it*. Every server author re-implements redaction on their own. Some get it right. n8n-MCP didn't — they had a silencing layer that was just fragile enough to fail. Most other servers don't have even that.
Which means a lot of us are probably running MCP servers right now that are quietly writing credentials into logs we've never actually looked at.
A question I'm curious about: if you're running an MCP server - in production, in your homelab, anywhere - when was the last time you actually opened its logs and read what shows up when a tool call carries credential material? Drop a thought, a war story, or even just a "huh, I should check" below.
I'll share what I find on mine, and I'm putting together a short follow-up next week with the specific things I'm looking at. More fun if we figure it out together.
— Josh
1
0 comments
Josh Botz
3
Your MCP server might be writing credentials to its logs.
powered by
AI Cloud Security Lab
skool.com/security-builder-lab-2699
This group is closing June 25th, 2026. The Wazuh lab will remain free on GitHub.
Stay connected on LinkedIn: https://linkedin.com/in/joshbotz
Suggested communities
AI Profit Boardroom
AI Video Bootcamp
AI for Beginners
Agentic AI for Founders
Tech Confident Community
Build your own community
Bring people together around your passion and get paid.
Powered by