{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/n8n-mcp--2.50.1/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["n8n-mcp (\u003c 2.50.1)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","ssrf","telemetry","information-disclosure"],"_cs_type":"advisory","_cs_vendors":["N8N"],"content_html":"\u003cp\u003e\u003ccode\u003en8n-mcp\u003c/code\u003e versions prior to 2.50.1 are susceptible to three distinct vulnerabilities affecting deployments that leverage the n8n API integration. The first issue involves a lack of validation for caller-supplied identifiers used as URL path segments, enabling authenticated MCP callers to manipulate workflow IDs and direct outbound requests with the configured n8n API key to unintended same-origin endpoints, effectively bypassing access controls. The second vulnerability arises from validated webhook, form, and chat trigger URLs following redirects, potentially redirecting outbound requests to untrusted hosts and exposing the response body to the caller as a non-blind SSRF. Finally, the default opt-in telemetry feature stores unredacted operation payloads, which may contain sensitive information like bearer tokens, API keys, and webhook secrets from workflow node parameters. Successful exploitation of these vulnerabilities could lead to sensitive data exposure and unauthorized access to internal resources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to the n8n-mcp instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious workflow ID containing path traversal characters.\u003c/li\u003e\n\u003cli\u003eThe attacker makes an MCP call using the crafted workflow ID.\u003c/li\u003e\n\u003cli\u003eThe n8n-mcp instance, lacking proper validation, incorporates the malicious ID into the outbound URL path.\u003c/li\u003e\n\u003cli\u003eThe n8n-mcp instance initiates an HTTP request using the constructed URL, including the configured n8n API key.\u003c/li\u003e\n\u003cli\u003eThe request is redirected to a different endpoint within the same origin.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to resources or performs actions on the redirected endpoint, bypassing intended access controls.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could lead to significant damage. The path traversal and SSRF vulnerabilities can allow attackers to bypass access controls and gain unauthorized access to internal resources, potentially leading to data breaches or system compromise. The exposure of sensitive information in telemetry data can compromise API keys, secrets, and other credentials, enabling further attacks and unauthorized access to external services. While specific victim counts are unavailable, organizations using affected versions of n8n-mcp are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003en8n-mcp \u0026gt;= 2.50.1\u003c/code\u003e to remediate the vulnerabilities (see Patched versions).\u003c/li\u003e\n\u003cli\u003eApply network access restrictions (firewall, reverse-proxy ACL, or VPN) to the MCP HTTP port, allowing only trusted callers to access it, mitigating issues (1) and (2). Alternatively, switch to stdio mode to eliminate the HTTP attack surface (see Workarounds).\u003c/li\u003e\n\u003cli\u003eDisable telemetry by setting \u003ccode\u003eN8N_MCP_TELEMETRY_DISABLED=true\u003c/code\u003e in the environment before starting the server, or run \u003ccode\u003enpx n8n-mcp telemetry disable\u003c/code\u003e once, addressing issue (3) (see Workarounds).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unexpected outbound connections originating from the n8n-mcp instance, potentially indicating SSRF attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-08T17:00:09Z","date_published":"2026-05-08T17:00:09Z","id":"/briefs/2024-01-16-n8n-mcp-vulns/","summary":"n8n-mcp versions before 2.50.1 are vulnerable to path traversal, redirect-following SSRF, and telemetry payload exposure, potentially leading to sensitive information disclosure and unauthorized access.","title":"n8n-mcp Vulnerable to Path Traversal, SSRF, and Telemetry Exposure","url":"https://feed.craftedsignal.io/briefs/2024-01-16-n8n-mcp-vulns/"}],"language":"en","title":"CraftedSignal Threat Feed — N8n-Mcp (\u003c 2.50.1)","version":"https://jsonfeed.org/version/1.1"}