Description
n8n-MCP is a Model Context Protocol (MCP) server that provides AI assistants with comprehensive access to n8n node documentation, properties, and operations. Prior to 2.47.4, an authenticated Server-Side Request Forgery in n8n-mcp allows a caller holding a valid AUTH_TOKEN to cause the server to issue HTTP requests to arbitrary URLs supplied through multi-tenant HTTP headers. Response bodies are reflected back through JSON-RPC, so an attacker can read the contents of any URL the server can reach — including cloud instance metadata endpoints (AWS IMDS, GCP, Azure, Alibaba, Oracle), internal network services, and any other host the server process has network access to. The primary at-risk deployments are multi-tenant HTTP installations where more than one operator can present a valid AUTH_TOKEN, or where a token is shared with less-trusted clients. Single-tenant stdio deployments and HTTP deployments without multi-tenant headers are not affected. This vulnerability is fixed in 2.47.4.
Published: 2026-04-09
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via Authenticated SSRF
Action: Apply Patch
AI Analysis

Impact

Authenticated Server‑Side Request Forgery exists in n8n‑MCP versions prior to 2.47.4. An operator holding a valid AUTH_TOKEN can supply an arbitrary URL in a multi‑tenant HTTP header; the server will issue an HTTP request to that URL and return the response body through JSON‑RPC. This flaw allows a threat actor who can obtain a token or share it with less‑trusted clients to read any content the server can reach, including cloud instance metadata endpoints (AWS IMDS, GCP, Azure, Alibaba, Oracle), internal network services, and arbitrary hosts. The vulnerability is classified as CWE‑918 and can lead to significant confidentiality compromises and further exploitation after exposure of credentials or internal topology.

Affected Systems

The vulnerability affects installations of n8n‑MCP up to and including version 2.47.3 that run in multi‑tenant HTTP mode. Deployments that are single‑tenant STDIO or HTTP without the multi‑tenant header are not affected. The issue is resolved in release 2.47.4, where the SSRF vector has been closed.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity. The vulnerability requires authenticated access; thus the attacker must possess or acquire a valid AUTH_TOKEN. Once authenticated, the exploitation path is straightforward: supply a malicious instance‑URL header and read the reflected response. No exploit probability score is provided, and the vulnerability is not listed in CISA’s KEV catalog. The risk remains high for environments that share tokens with less‑trusted parties or have lax token control.

Generated by OpenCVE AI on April 9, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update n8n‑MCP to version 2.47.4 or later
  • If upgrading is not immediately possible, restrict or revoke any shared AUTH_TOKENs and ensure tokens are issued only to trusted operators
  • Disable multi‑tenant HTTP mode or remove the instance‑URL header handling in current deployments

Generated by OpenCVE AI on April 9, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4ggg-h7ph-26qr n8n-mcp has authenticated SSRF via instance-URL header in multi-tenant HTTP mode
History

Mon, 20 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared N8n-mcp
N8n-mcp n8n-mcp
CPEs cpe:2.3:a:n8n-mcp:n8n-mcp:*:*:*:*:*:*:*:*
Vendors & Products N8n-mcp
N8n-mcp n8n-mcp

Mon, 13 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Czlonkowski
Czlonkowski n8n-mcp
Vendors & Products Czlonkowski
Czlonkowski n8n-mcp

Thu, 09 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description n8n-MCP is a Model Context Protocol (MCP) server that provides AI assistants with comprehensive access to n8n node documentation, properties, and operations. Prior to 2.47.4, an authenticated Server-Side Request Forgery in n8n-mcp allows a caller holding a valid AUTH_TOKEN to cause the server to issue HTTP requests to arbitrary URLs supplied through multi-tenant HTTP headers. Response bodies are reflected back through JSON-RPC, so an attacker can read the contents of any URL the server can reach — including cloud instance metadata endpoints (AWS IMDS, GCP, Azure, Alibaba, Oracle), internal network services, and any other host the server process has network access to. The primary at-risk deployments are multi-tenant HTTP installations where more than one operator can present a valid AUTH_TOKEN, or where a token is shared with less-trusted clients. Single-tenant stdio deployments and HTTP deployments without multi-tenant headers are not affected. This vulnerability is fixed in 2.47.4.
Title n8n-MCP has an Authenticated SSRF via instance-URL header in multi-tenant HTTP mode
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Czlonkowski N8n-mcp
N8n-mcp N8n-mcp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T20:09:26.781Z

Reserved: 2026-04-08T00:01:47.628Z

Link: CVE-2026-39974

cve-icon Vulnrichment

Updated: 2026-04-13T20:09:23.319Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T17:16:30.933

Modified: 2026-04-20T18:32:37.983

Link: CVE-2026-39974

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:32:06Z

Weaknesses