{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-39974/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.5,"id":"CVE-2026-39974"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["n8n-MCP Server"],"_cs_severities":["high"],"_cs_tags":["ssrf","n8n-mcp","cve-2026-39974","cloud"],"_cs_type":"advisory","_cs_vendors":["n8n"],"content_html":"\u003cp\u003en8n-MCP (Model Context Protocol) server is designed to provide AI assistants with access to n8n node documentation and operations. A critical vulnerability, CVE-2026-39974, exists in versions prior to 2.47.4. This vulnerability allows an attacker with a valid \u003ccode\u003eAUTH_TOKEN\u003c/code\u003e to perform Server-Side Request Forgery (SSRF) attacks. By manipulating multi-tenant HTTP headers, an attacker can force the n8n-MCP server to issue HTTP requests to arbitrary URLs. The response bodies from these requests are then reflected back to the attacker via JSON-RPC. This poses a significant risk to multi-tenant HTTP deployments where multiple operators share a valid \u003ccode\u003eAUTH_TOKEN\u003c/code\u003e or when the token is shared with untrusted clients. Successful exploitation can lead to the disclosure of sensitive information, including access to cloud instance metadata endpoints (AWS IMDS, GCP, Azure, Alibaba, Oracle) and internal network services accessible to the server process. This vulnerability is resolved in version 2.47.4.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker obtains a valid \u003ccode\u003eAUTH_TOKEN\u003c/code\u003e for an n8n-MCP instance. This could be achieved through legitimate access, credential theft, or other means.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request containing multi-tenant headers that specify a target URL for the SSRF attack. This URL could point to internal cloud metadata endpoints (e.g., \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/\u003c/code\u003e) or internal services.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious HTTP request to the vulnerable n8n-MCP server.\u003c/li\u003e\n\u003cli\u003eThe n8n-MCP server, upon receiving the request, processes the multi-tenant headers and initiates an HTTP request to the attacker-specified URL.\u003c/li\u003e\n\u003cli\u003eThe external service or internal resource responds to the n8n-MCP server.\u003c/li\u003e\n\u003cli\u003eThe n8n-MCP server receives the response body from the targeted URL.\u003c/li\u003e\n\u003cli\u003eThe n8n-MCP server reflects the response body back to the attacker through a JSON-RPC response.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the JSON-RPC response and extracts the sensitive information obtained from the SSRF attack, such as cloud instance metadata or internal service data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39974 can lead to the disclosure of sensitive information, including cloud instance metadata and internal service details. In multi-tenant environments, this could potentially compromise the confidentiality of other tenants' data. Access to cloud instance metadata can provide attackers with credentials or other information necessary to further compromise the cloud environment. The impact is most significant in multi-tenant HTTP deployments, but single-tenant environments could also be affected if the \u003ccode\u003eAUTH_TOKEN\u003c/code\u003e is compromised.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade n8n-MCP to version 2.47.4 or later to patch CVE-2026-39974.\u003c/li\u003e\n\u003cli\u003eImplement strict controls over the issuance and management of \u003ccode\u003eAUTH_TOKEN\u003c/code\u003es to prevent unauthorized access.\u003c/li\u003e\n\u003cli\u003eMonitor HTTP request logs for unusual patterns indicative of SSRF attempts. Consider creating detection rules based on suspicious URLs or HTTP headers.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect potential SSRF attempts targeting cloud metadata endpoints or internal network services.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of potential SSRF attacks by restricting the n8n-MCP server's access to internal resources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-30-n8n-mcp-ssrf/","summary":"A server-side request forgery (SSRF) vulnerability in n8n-MCP prior to version 2.47.4 allows authenticated attackers to send HTTP requests to arbitrary URLs, potentially accessing sensitive information.","title":"n8n-MCP Server-Side Request Forgery Vulnerability (CVE-2026-39974)","url":"https://feed.craftedsignal.io/briefs/2024-01-30-n8n-mcp-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-39974","version":"https://jsonfeed.org/version/1.1"}