<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>N8n-MCP Server - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/n8n-mcp-server/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 30 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/n8n-mcp-server/feed.xml" rel="self" type="application/rss+xml"/><item><title>n8n-MCP Server-Side Request Forgery Vulnerability (CVE-2026-39974)</title><link>https://feed.craftedsignal.io/briefs/2024-01-30-n8n-mcp-ssrf/</link><pubDate>Tue, 30 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-30-n8n-mcp-ssrf/</guid><description>A server-side request forgery (SSRF) vulnerability in n8n-MCP prior to version 2.47.4 allows authenticated attackers to send HTTP requests to arbitrary URLs, potentially accessing sensitive information.</description><content:encoded><![CDATA[<p>n8n-MCP (Model Context Protocol) server is designed to provide AI assistants with access to n8n node documentation and operations. A critical vulnerability, CVE-2026-39974, exists in versions prior to 2.47.4. This vulnerability allows an attacker with a valid <code>AUTH_TOKEN</code> to perform Server-Side Request Forgery (SSRF) attacks. By manipulating multi-tenant HTTP headers, an attacker can force the n8n-MCP server to issue HTTP requests to arbitrary URLs. The response bodies from these requests are then reflected back to the attacker via JSON-RPC. This poses a significant risk to multi-tenant HTTP deployments where multiple operators share a valid <code>AUTH_TOKEN</code> or when the token is shared with untrusted clients. Successful exploitation can lead to the disclosure of sensitive information, including access to cloud instance metadata endpoints (AWS IMDS, GCP, Azure, Alibaba, Oracle) and internal network services accessible to the server process. This vulnerability is resolved in version 2.47.4.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker obtains a valid <code>AUTH_TOKEN</code> for an n8n-MCP instance. This could be achieved through legitimate access, credential theft, or other means.</li>
<li>Attacker crafts a malicious HTTP request containing multi-tenant headers that specify a target URL for the SSRF attack. This URL could point to internal cloud metadata endpoints (e.g., <code>http://169.254.169.254/latest/meta-data/</code>) or internal services.</li>
<li>The attacker sends the malicious HTTP request to the vulnerable n8n-MCP server.</li>
<li>The n8n-MCP server, upon receiving the request, processes the multi-tenant headers and initiates an HTTP request to the attacker-specified URL.</li>
<li>The external service or internal resource responds to the n8n-MCP server.</li>
<li>The n8n-MCP server receives the response body from the targeted URL.</li>
<li>The n8n-MCP server reflects the response body back to the attacker through a JSON-RPC response.</li>
<li>The attacker parses the JSON-RPC response and extracts the sensitive information obtained from the SSRF attack, such as cloud instance metadata or internal service data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-39974 can lead to the disclosure of sensitive information, including cloud instance metadata and internal service details. In multi-tenant environments, this could potentially compromise the confidentiality of other tenants' data. Access to cloud instance metadata can provide attackers with credentials or other information necessary to further compromise the cloud environment. The impact is most significant in multi-tenant HTTP deployments, but single-tenant environments could also be affected if the <code>AUTH_TOKEN</code> is compromised.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade n8n-MCP to version 2.47.4 or later to patch CVE-2026-39974.</li>
<li>Implement strict controls over the issuance and management of <code>AUTH_TOKEN</code>s to prevent unauthorized access.</li>
<li>Monitor HTTP request logs for unusual patterns indicative of SSRF attempts. Consider creating detection rules based on suspicious URLs or HTTP headers.</li>
<li>Deploy the Sigma rule provided below to detect potential SSRF attempts targeting cloud metadata endpoints or internal network services.</li>
<li>Implement network segmentation to limit the impact of potential SSRF attacks by restricting the n8n-MCP server's access to internal resources.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>ssrf</category><category>n8n-mcp</category><category>cve-2026-39974</category><category>cloud</category></item></channel></rss>