CVE-2026-42449 - Vulnerability Details

Description

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. In versions 2.47.4 through 2.47.13, the SDK embedder path (N8NDocumentationMCPServer constructor, getN8nApiClient(), and validateInstanceContext()), the synchronous URL validator in SSRFProtection.validateUrlSync() had no IPv6 checks. IPv4-mapped IPv6 addresses such as http://[::ffff:169.254.169.254] bypassed the cloud-metadata, localhost, and private-IP range checks. An attacker able to supply an n8nApiUrl value could cause the server to issue HTTP requests to cloud metadata endpoints, RFC1918 private networks, or localhost services. Response bodies are returned to the caller (non-blind SSRF), and the n8nApiKey is forwarded in the x-n8n-api-key header to the attacker-controlled target. Projects with deployments embedding n8n-mcp as an SDK using N8NDocumentationMCPServer or N8NMCPEngine with user-supplied InstanceContext are affected. The first-party HTTP server deployment was not primarily affected — it has a second async validator (validateWebhookUrl) that catches IPv6 addresses. This issue has been fixed in version 2.47.14. If users are unable to upgrade immediately as a workaround they can validate URLs before passing to the SDK, restrict egress at the network layer, and reject user-controlled n8nApiUrl values.

Published: 2026-05-07

Score: 8.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

n8n‑MCP implements a synchronous URL validator that is intended to prevent server‑side request forgery by rejecting URLs pointing to cloud‑metadata, localhost, or private IP ranges. The validator however does not support IPv6, allowing IPv4‑mapped IPv6 addresses such as http://[::ffff:169.254.169.254] to pass the check. As a result, an attacker who can influence the n8nApiUrl parameter can make the server issue HTTP requests to internal services or cloud‑metadata endpoints. The response body is returned to the caller and the attacker‑controlled target receives the n8nApiKey in a header, exposing sensitive credentials and enabling a full, non‑blind SSRF.

Affected Systems

This flaw affects the n8n‑MCP server released by czlonkowski, specifically versions 2.47.4 through 2.47.13. The attack surface is the SDK embedder API (N8NDocumentationMCPServer or N8NMCPEngine) when a user supplies an InstanceContext that includes an n8nApiUrl. The main n8n HTTP server deployment is not directly affected because it uses an additional asynchronous validator that catches IPv6 addresses.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity vulnerability. There is no EPSS score available, and the issue is not yet catalogued in CISA KEV. If an attacker can supply the n8nApiUrl value, they can exploit the flaw by crafting a malicious InstanceContext that includes an IPv4‑mapped IPv6 address. Once injected, the server will fetch data from internal endpoints, return the content to the attacker, and forward the API key in a header, providing full access to privileged resources without authentication.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

czlonkowski

n8n-mcp

affected

Version	Status	Constraints
`>= 2.47.4, < 2.47.14`	affected	—

No data.

Vendor Product Confidence Versions

Czlonkowski

N8n-mcp

100%

Version	Status	Scheme	Platform
`[2.47.4,2.47.14)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest patch version 2.47.14 or later of n8n‑MCP
Reject or whitelist user‑supplied n8nApiUrl values in InstanceContext before they reach the SDK
Validate all URLs locally against strict IPv4‑/IPv6‑rules to block mapped addresses
Restrict outbound traffic from the n8n‑MCP server to disallow connections to RFC1918 ranges, localhost and cloud‑metadata endpoints

Generated by OpenCVE AI on May 7, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-56c3-vfp2-5qqj	n8n-mcp's IPv4-mapped IPv6 addresses bypass SSRF protection in validateUrlSync(), enabling full SSRF for SDK embedders

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/czlonkowski/n8n-mcp/commit/9639f757853149f0cb16663cc8b6b6468f27a25f
https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-56c3-vfp2-5qqj

History

Thu, 07 May 2026 23:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Czlonkowski Czlonkowski n8n-mcp
Vendors & Products		Czlonkowski Czlonkowski n8n-mcp

Thu, 07 May 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. In versions 2.47.4 through 2.47.13, the SDK embedder path (N8NDocumentationMCPServer constructor, getN8nApiClient(), and validateInstanceContext()), the synchronous URL validator in SSRFProtection.validateUrlSync() had no IPv6 checks. IPv4-mapped IPv6 addresses such as http://[::ffff:169.254.169.254] bypassed the cloud-metadata, localhost, and private-IP range checks. An attacker able to supply an n8nApiUrl value could cause the server to issue HTTP requests to cloud metadata endpoints, RFC1918 private networks, or localhost services. Response bodies are returned to the caller (non-blind SSRF), and the n8nApiKey is forwarded in the x-n8n-api-key header to the attacker-controlled target. Projects with deployments embedding n8n-mcp as an SDK using N8NDocumentationMCPServer or N8NMCPEngine with user-supplied InstanceContext are affected. The first-party HTTP server deployment was not primarily affected — it has a second async validator (validateWebhookUrl) that catches IPv6 addresses. This issue has been fixed in version 2.47.14. If users are unable to upgrade immediately as a workaround they can validate URLs before passing to the SDK, restrict egress at the network layer, and reject user-controlled n8nApiUrl values.
Title		n8n-MCP: IPv4-mapped IPv6 addresses bypass SSRF protection in validateUrlSync(), enabling full SSRF for SDK embedders
Weaknesses		CWE-918
References		https://github.com/czlonkowski/n8n-mcp/commit/9639f757853149f0cb16663cc8b6b6468f27a25f https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-56c3-vfp2-5qqj
Metrics		cvssV3_1 `{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}`

Subscriptions

Czlonkowski N8n-mcp

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-07T20:46:29.429Z

Updated: 2026-05-07T20:46:29.429Z

Reserved: 2026-04-27T13:55:58.693Z

Link: CVE-2026-42449

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-07T21:16:30.133

Modified: 2026-05-07T21:16:30.133

Link: CVE-2026-42449

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-07T22:45:24Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object