n8n-MCP Server-Side Request Forgery Vulnerability (CVE-2026-39974)
A server-side request forgery (SSRF) vulnerability in n8n-MCP prior to version 2.47.4 allows authenticated attackers to send HTTP requests to arbitrary URLs, potentially accessing sensitive information.
n8n-MCP (Model Context Protocol) server is designed to provide AI assistants with access to n8n node documentation and operations. A critical vulnerability, CVE-2026-39974, exists in versions prior to 2.47.4. This vulnerability allows an attacker with a valid AUTH_TOKEN to perform Server-Side Request Forgery (SSRF) attacks. By manipulating multi-tenant HTTP headers, an attacker can force the n8n-MCP server to issue HTTP requests to arbitrary URLs. The response bodies from these requests are then reflected back to the attacker via JSON-RPC. This poses a significant risk to multi-tenant HTTP deployments where multiple operators share a valid AUTH_TOKEN or when the token is shared with untrusted clients. Successful exploitation can lead to the disclosure of sensitive information, including access to cloud instance metadata endpoints (AWS IMDS, GCP, Azure, Alibaba, Oracle) and internal network services accessible to the server process. This vulnerability is resolved in version 2.47.4.
Attack Chain
- Attacker obtains a valid
AUTH_TOKENfor an n8n-MCP instance. This could be achieved through legitimate access, credential theft, or other means. - Attacker crafts a malicious HTTP request containing multi-tenant headers that specify a target URL for the SSRF attack. This URL could point to internal cloud metadata endpoints (e.g.,
http://169.254.169.254/latest/meta-data/) or internal services. - The attacker sends the malicious HTTP request to the vulnerable n8n-MCP server.
- The n8n-MCP server, upon receiving the request, processes the multi-tenant headers and initiates an HTTP request to the attacker-specified URL.
- The external service or internal resource responds to the n8n-MCP server.
- The n8n-MCP server receives the response body from the targeted URL.
- The n8n-MCP server reflects the response body back to the attacker through a JSON-RPC response.
- The attacker parses the JSON-RPC response and extracts the sensitive information obtained from the SSRF attack, such as cloud instance metadata or internal service data.
Impact
Successful exploitation of CVE-2026-39974 can lead to the disclosure of sensitive information, including cloud instance metadata and internal service details. In multi-tenant environments, this could potentially compromise the confidentiality of other tenants' data. Access to cloud instance metadata can provide attackers with credentials or other information necessary to further compromise the cloud environment. The impact is most significant in multi-tenant HTTP deployments, but single-tenant environments could also be affected if the AUTH_TOKEN is compromised.
Recommendation
- Upgrade n8n-MCP to version 2.47.4 or later to patch CVE-2026-39974.
- Implement strict controls over the issuance and management of
AUTH_TOKENs to prevent unauthorized access. - Monitor HTTP request logs for unusual patterns indicative of SSRF attempts. Consider creating detection rules based on suspicious URLs or HTTP headers.
- Deploy the Sigma rule provided below to detect potential SSRF attempts targeting cloud metadata endpoints or internal network services.
- Implement network segmentation to limit the impact of potential SSRF attacks by restricting the n8n-MCP server's access to internal resources.
Detection coverage 2
Detect n8n-MCP SSRF Attempt via Suspicious URL
highDetects potential SSRF attempts by monitoring for requests containing URLs commonly associated with cloud metadata endpoints or internal network services.
Detect n8n-MCP SSRF Attempt via Multi-Tenant Header Abuse
mediumDetects potential SSRF attempts by monitoring for unusual HTTP requests containing specific headers used in multi-tenant n8n-MCP deployments.
Detection queries are available on the platform. Get full rules →