CVE-2026-42449

Name of the Vulnerable Software and Affected Versions n8n-MCP versions 2.47.4 through 2.47.13

Description The synchronous URL validator in SSRFProtection.validateUrlSync() lacks IPv6 checks within the SDK embedder path, specifically affecting the N8NDocumentationMCPServer constructor, getN8nApiClient(), and validateInstanceContext(). This allows IPv4-mapped IPv6 addresses to bypass checks for cloud-metadata, localhost, and private-IP ranges. An attacker providing a malicious n8nApiUrl value can trigger the server to issue HTTP requests to localhost services, RFC1918 private networks, or cloud metadata endpoints. This results in a non-blind Server-Side Request Forgery (SSRF), where response bodies are returned to the caller and the n8nApiKey is forwarded in the x-n8n-api-key header to the attacker-controlled target.

Recommendations Update to version 2.47.14. As a temporary workaround, validate URLs before passing them to the SDK by rejecting any n8nApiUrl where the hostname is an IP literal. As a temporary workaround, restrict egress at the network layer to block outbound traffic to RFC1918 ranges, link-local 169.254.0.0/16, and cloud metadata endpoints. As a temporary workaround, reject user-controlled n8nApiUrl values.