CVE-2026-39974

Name of the Vulnerable Software and Affected Versions n8n-MCP versions prior to 2.47.4

Description n8n-MCP is a Model Context Protocol (MCP) server that provides AI assistants with access to n8n node documentation. A Server-Side Request Forgery (SSRF) exists in n8n-mcp prior to version 2.47.4, allowing an attacker with a valid AUTH TOKEN to make HTTP requests to arbitrary URLs through multi-tenant HTTP headers. The response bodies are returned via JSON-RPC, enabling an attacker to read the contents of URLs accessible to the server, including cloud instance metadata endpoints (AWS IMDS, GCP, Azure, Alibaba, Oracle), internal network services, and other accessible hosts. Deployments at risk are those with multi-tenant HTTP configurations where multiple operators have valid AUTH TOKENs, or where the token is shared with untrusted clients. Single-tenant deployments and HTTP deployments without multi-tenant headers are not affected.

Recommendations Upgrade to n8n-MCP version 2.47.4 or later. As a temporary workaround, implement egress filtering at the network layer to block outbound traffic to RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local 169.254.0.0/16, and other internal ranges. If multi-tenant functionality is not required, disable multi-tenant headers by unsetting ENABLE MULTI TENANT and removing the x-n8n-url and x-n8n-key headers at the reverse proxy. Restrict the distribution of the AUTH TOKEN to fully trusted operators until an upgrade can be applied.