Description
n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. From version 2.18.7 to before version 2.50.2, there is an authenticated server-side request forgery vulnerability affecting the webhook trigger tools, the n8n API client (N8N_API_URL), and per-request URLs supplied via the x-n8n-url header in multi-tenant HTTP mode. This issue has been patched in version 2.50.2.
Published: 2026-05-08
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in n8n‑MCP allows an attacker who has authenticated to the system to craft requests that the server will forward to arbitrary URLs. The vulnerability appears in the webhook trigger tools, the API client path (N8N_API_URL), and URLs supplied via the x‑n8n‑url header when running in multi‑tenant mode. Once triggered, the server can reach internal or external resources, exposing confidential data, facilitating lateral movement, or disrupting services. The weakness is a classic Server‑Side Request Forgery (CWE‑918) and also involves improper handling of authenticated requests (CWE‑367).

Affected Systems

The issue affects the n8n‑MCP server provided by czlonkowski. Versions from 2.18.7 up through the release preceding 2.50.2 are vulnerable. The patch that removes this flaw is included in n8n‑MCP version 2.50.2 and later.

Risk and Exploitability

The CVSS score is 7.2, placing the vulnerability in the medium‑to‑high severity range. Exploitation requires an authenticated user, so an internal attacker or a user with valid credentials can activate the SSRF. No EPSS score is available, and the issue is not listed in the CISA KEV catalog, indicating no known active exploits at the time of analysis. Real‑world risk remains significant because of the potential for internal network reconnaissance or manipulation of external services.

Generated by OpenCVE AI on May 8, 2026 at 21:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade n8n‑MCP to version 2.50.2 or later.
  • If an upgrade cannot be performed immediately, disable or restrict access to the webhook trigger tools and API client paths for untrusted users and block the use of the x‑n8n‑url header.
  • Review and audit user permissions, ensuring only necessary users have access to the vulnerable API endpoints.

Generated by OpenCVE AI on May 8, 2026 at 21:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cmrh-wvq6-wm9r n8n-mcp webhook and API client paths has an authenticated SSRF
History

Fri, 08 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Czlonkowski
Czlonkowski n8n-mcp
Vendors & Products Czlonkowski
Czlonkowski n8n-mcp

Fri, 08 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. From version 2.18.7 to before version 2.50.2, there is an authenticated server-side request forgery vulnerability affecting the webhook trigger tools, the n8n API client (N8N_API_URL), and per-request URLs supplied via the x-n8n-url header in multi-tenant HTTP mode. This issue has been patched in version 2.50.2.
Title n8n-MCP: Authenticated SSRF in n8n-mcp webhook and API client paths
Weaknesses CWE-367
CWE-918
References
Metrics cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L'}

Subscriptions

Czlonkowski N8n-mcp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T19:12:05.326Z

Reserved: 2026-05-07T17:07:09.316Z

Link: CVE-2026-44694

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T20:16:31.917

Modified: 2026-05-08T20:16:31.917

Link: CVE-2026-44694

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T22:30:18Z

Weaknesses