CVE-2026-44694

Name of the Vulnerable Software and Affected Versions n8n-MCP versions 2.18.7 through 2.50.1

Description An authenticated server-side request forgery (SSRF) issue exists affecting the webhook trigger tools, the n8n API client N8N API URL, and per-request URLs provided via the x-n8n-url header in multi-tenant HTTP mode. A caller with access to the MCP session can force the host to send HTTP requests to internal services and cloud metadata endpoints. This allows for internal-service enumeration and the theft of credentials, such as temporary IAM, GCP service account, or Azure managed-identity credentials. In single-tenant or stdio deployments, this can be triggered via indirect prompt injection where an attacker influences the LLM's tool calls to read internal services.

Recommendations Update n8n-MCP to version 2.50.2. Restrict network egress from the host using a firewall or security group to deny access to cloud metadata IPs and unnecessary RFC1918 networks. Run the software in stdio mode instead of HTTP if multi-tenant functionality is not required. Disable workflow management tools by setting DISABLED TOOLS=n8n trigger webhook workflow,n8n create workflow,n8n test workflow if they are not needed.