{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/n8n-mcp--2.47.4--2.47.14/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["n8n-mcp (\u003e= 2.47.4, \u003c 2.47.14)"],"_cs_severities":["high"],"_cs_tags":["ssrf","cwe-918","n8n-mcp"],"_cs_type":"advisory","_cs_vendors":["n8n"],"content_html":"\u003cp\u003eThe n8n-mcp library, when embedded as an SDK, contains a server-side request forgery (SSRF) vulnerability. The vulnerability lies in the \u003ccode\u003eSSRFProtection.validateUrlSync()\u003c/code\u003e function, specifically within the \u003ccode\u003eN8NDocumentationMCPServer\u003c/code\u003e constructor, \u003ccode\u003egetN8nApiClient()\u003c/code\u003e, and \u003ccode\u003evalidateInstanceContext()\u003c/code\u003e methods. This synchronous validator lacks IPv6 checks, allowing IPv4-mapped IPv6 addresses (e.g., \u003ccode\u003ehttp://[::ffff:169.254.169.254]\u003c/code\u003e) to bypass existing protections against cloud metadata, localhost, and private IP ranges. An attacker who can control the \u003ccode\u003en8nApiUrl\u003c/code\u003e parameter can exploit this flaw to force the server to make HTTP requests to internal or external services. This issue affects deployments embedding n8n-mcp as an SDK using \u003ccode\u003eN8NDocumentationMCPServer\u003c/code\u003e or \u003ccode\u003eN8NMCPEngine\u003c/code\u003e with user-supplied \u003ccode\u003eInstanceContext\u003c/code\u003e on versions v2.47.4 through v2.47.13. Version v2.47.14 and later contain the patch for this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable n8n-mcp deployment embedding the SDK and using a user-supplied \u003ccode\u003eInstanceContext\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003en8nApiUrl\u003c/code\u003e containing an IPv4-mapped IPv6 address, such as \u003ccode\u003ehttp://[::ffff:169.254.169.254]\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker supplies the crafted \u003ccode\u003en8nApiUrl\u003c/code\u003e to the vulnerable \u003ccode\u003eN8NDocumentationMCPServer\u003c/code\u003e constructor or \u003ccode\u003egetN8nApiClient()\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003evalidateInstanceContext()\u003c/code\u003e function calls \u003ccode\u003eSSRFProtection.validateUrlSync()\u003c/code\u003e to validate the URL.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003evalidateUrlSync()\u003c/code\u003e function fails to properly validate the IPv4-mapped IPv6 address.\u003c/li\u003e\n\u003cli\u003eThe server issues an HTTP request to the attacker-specified target using the bypassed URL.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ex-n8n-api-key\u003c/code\u003e header is forwarded to the attacker-controlled target.\u003c/li\u003e\n\u003cli\u003eThe response body from the target is returned to the attacker, allowing the attacker to gather sensitive information from internal services or cloud metadata endpoints.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability allows an attacker to perform unauthorized actions, such as accessing sensitive information from cloud metadata endpoints (AWS IMDS, GCP, Azure, Alibaba, Oracle), RFC1918 private networks, or localhost services. The attacker can also gain access to the \u003ccode\u003en8nApiKey\u003c/code\u003e, which is forwarded in the \u003ccode\u003ex-n8n-api-key\u003c/code\u003e header, potentially leading to further compromise of the n8n instance. This vulnerability impacts deployments embedding n8n-mcp as an SDK between versions v2.47.4 and v2.47.13.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade n8n-mcp to version v2.47.14 or later to patch the vulnerability as described in the advisory.\u003c/li\u003e\n\u003cli\u003eImplement a network-level block on outbound traffic from the n8n-mcp process to RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local \u003ccode\u003e169.254.0.0/16\u003c/code\u003e, and cloud metadata endpoints as a defense-in-depth measure.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect N8N MCP SSRF Attempt via IPv6 Bypass\u003c/code\u003e to identify exploitation attempts by detecting outbound connections to internal IPs using IPv6 mapped IPv4 address.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T18:12:54Z","date_published":"2026-04-30T18:12:54Z","id":"/briefs/2026-04-n8n-mcp-ssrf/","summary":"The n8n-mcp SDK embedder path is vulnerable to server-side request forgery (SSRF) due to the synchronous URL validator in `SSRFProtection.validateUrlSync()` not checking for IPv6 addresses, allowing attackers to access cloud metadata endpoints, RFC1918 private networks, or localhost services by supplying a crafted `n8nApiUrl`.","title":"n8n-mcp SDK Embedder SSRF Vulnerability via IPv6 Bypass","url":"https://feed.craftedsignal.io/briefs/2026-04-n8n-mcp-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — N8n-Mcp (\u003e= 2.47.4, \u003c 2.47.14)","version":"https://jsonfeed.org/version/1.1"}