N8n

When ENABLE_MULTI_TENANT=true, n8n-mcp requests that omit x-n8n-url or x-n8n-key headers silently fall back to the process-level N8N_API_URL / N8N_API_KEY credentials configured for the operator's own n8n instance; an authenticated MCP tenant could cause n8n management calls to execute against the operator's instance instead of its own, leading to potential data access and code execution on the operator's n8n instance.

An authenticated, remote attacker can exploit multiple vulnerabilities in n8n to execute arbitrary code, bypass security measures, conduct SQL injection attacks, manipulate data, or disclose sensitive information.

n8n-mcp versions before 2.50.1 are vulnerable to path traversal, redirect-following SSRF, and telemetry payload exposure, potentially leading to sensitive information disclosure and unauthorized access.

The n8n-mcp SDK embedder path is vulnerable to server-side request forgery (SSRF) due to the synchronous URL validator in `SSRFProtection.validateUrlSync()` not checking for IPv6 addresses, allowing attackers to access cloud metadata endpoints, RFC1918 private networks, or localhost services by supplying a crafted `n8nApiUrl`.

A sandbox escape vulnerability exists in n8n's Python Task Runner that allows an authenticated user with workflow creation/modification permissions to achieve arbitrary code execution on the task runner container, impacting n8n instances with the Python Task Runner enabled; upgrade to versions 1.123.32, 2.17.4, 2.18.1 or later to remediate the vulnerability.

Multiple vulnerabilities in n8n can be exploited by an attacker to execute arbitrary code, bypass security measures, disclose sensitive information, conduct SQL injection attacks, cause denial-of-service, perform cross-site scripting, redirect users, or hijack sessions.

An authenticated server-side request forgery (SSRF) vulnerability affects the webhook trigger tools and the n8n API client in n8n-mcp versions 2.18.7 to before 2.50.2, allowing attackers to make HTTP requests from the n8n-mcp host to internal services and cloud metadata endpoints, potentially leading to credential theft and internal service enumeration.

A credential authorization bypass vulnerability in n8n versions before 2.18.0 allows an authenticated user with access to a shared workflow to supply a foreign credential ID, causing the backend to decrypt and use that credential against attacker-controlled infrastructure, leading to API key exfiltration.