Attack Chain

1. An attacker identifies a vulnerable n8n-mcp deployment embedding the SDK and using a user-supplied InstanceContext.
2. The attacker crafts a malicious n8nApiUrl containing an IPv4-mapped IPv6 address, such as http://[::ffff:169.254.169.254].
3. The attacker supplies the crafted n8nApiUrl to the vulnerable N8NDocumentationMCPServer constructor or getN8nApiClient() method.
4. The validateInstanceContext() function calls SSRFProtection.validateUrlSync() to validate the URL.
5. The validateUrlSync() function fails to properly validate the IPv4-mapped IPv6 address.
6. The server issues an HTTP request to the attacker-specified target using the bypassed URL.
7. The x-n8n-api-key header is forwarded to the attacker-controlled target.
8. The response body from the target is returned to the attacker, allowing the attacker to gather sensitive information from internal services or cloud metadata endpoints.

Impact

Successful exploitation of this SSRF vulnerability allows an attacker to perform unauthorized actions, such as accessing sensitive information from cloud metadata endpoints (AWS IMDS, GCP, Azure, Alibaba, Oracle), RFC1918 private networks, or localhost services. The attacker can also gain access to the n8nApiKey, which is forwarded in the x-n8n-api-key header, potentially leading to further compromise of the n8n instance. This vulnerability impacts deployments embedding n8n-mcp as an SDK between versions v2.47.4 and v2.47.13.

Recommendation

• Upgrade n8n-mcp to version v2.47.14 or later to patch the vulnerability as described in the advisory.
• Implement a network-level block on outbound traffic from the n8n-mcp process to RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local 169.254.0.0/16, and cloud metadata endpoints as a defense-in-depth measure.
• Deploy the Sigma rule Detect N8N MCP SSRF Attempt via IPv6 Bypass to identify exploitation attempts by detecting outbound connections to internal IPs using IPv6 mapped IPv4 address.

Attack Chain

1. An attacker gains authenticated access to an n8n instance.
2. The attacker verifies the Python Task Runner is enabled.
3. The attacker creates or modifies an n8n workflow.
4. The workflow includes a Python Code Node.
5. The attacker crafts malicious Python code designed to escape the sandbox. This code could leverage vulnerabilities in the sandbox implementation to execute commands outside of the intended restricted environment.
6. The attacker triggers the workflow execution.
7. The malicious Python code executes, successfully escaping the sandbox.
8. Arbitrary code is executed on the task runner container, potentially leading to compromise of the n8n instance or the underlying infrastructure.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code within the n8n task runner container. This can lead to a full compromise of the n8n instance, allowing the attacker to steal sensitive data, disrupt services, or pivot to other systems within the network. While the exact number of affected instances is unknown, any n8n deployment with the Python Task Runner enabled and vulnerable versions are at risk.

Recommendation

• Upgrade n8n to versions 1.123.32, 2.17.4, 2.18.1 or later to remediate the vulnerability as recommended by the vendor.
• If upgrading is not immediately possible, limit workflow creation and editing permissions to fully trusted users only, as mentioned in the advisory.
• As a temporary measure, disable the Python Code node by adding n8n-nodes-base.code to the NODES_EXCLUDE environment variable, or disable the Python Task Runner entirely as documented in the advisory.
• Monitor container execution for unexpected processes spawned from the n8n task runner container using the “Detect Suspicious Process Execution from n8n Task Runner” Sigma rule.

Attack Chain

Given the broad range of potential vulnerabilities, a generalized attack chain is outlined below:

1. Reconnaissance: The attacker identifies a vulnerable n8n instance, potentially through Shodan or similar tools.
2. Vulnerability Identification: The attacker probes the n8n instance to identify specific exploitable vulnerabilities, such as those related to SQL injection or XSS.
3. Exploitation (SQL Injection): The attacker crafts malicious SQL queries through user input fields or API calls to extract sensitive data from the n8n database, such as user credentials or API keys.
4. Exploitation (XSS): The attacker injects malicious JavaScript code into n8n workflows or data fields. When other users interact with the affected workflows or data, the JavaScript code executes in their browsers.
5. Privilege Escalation/Lateral Movement: The attacker leverages the compromised credentials or XSS vulnerabilities to gain elevated privileges within the n8n instance or move laterally to other systems within the network.
6. Remote Code Execution: The attacker exploits a vulnerability that allows for the execution of arbitrary code on the server. This could be achieved through insecure file uploads, deserialization flaws, or command injection.
7. Persistence: The attacker establishes persistence by creating new n8n workflows or modifying existing ones to execute malicious code on a recurring basis.
8. Impact: The attacker exfiltrates sensitive data, disrupts critical business processes by manipulating or deleting workflows, or uses the compromised system as a foothold for further attacks within the network.

Impact

Successful exploitation of these vulnerabilities could result in significant damage, depending on the attacker’s objectives. The potential impact includes data breaches, financial losses, service disruptions, and reputational damage. If sensitive data is exfiltrated, it could be used for identity theft, fraud, or other malicious purposes. Disruption of critical workflows can lead to business downtime and lost productivity. The lack of specific victim counts or sector targeting in the source data makes it difficult to quantify the impact precisely, but the broad range of potential vulnerabilities and their potential consequences warrant immediate attention.

Recommendation

• Implement the provided Sigma rules to detect potential exploitation attempts targeting n8n instances (see “Descriptive Detection Rule Name” in the rules section).
• Conduct regular security audits and penetration testing of n8n instances to identify and remediate vulnerabilities before they can be exploited.
• Enforce strict input validation and sanitization measures to prevent SQL injection and XSS attacks.
• Apply the principle of least privilege to limit the permissions of the n8n process and users.
• Monitor network traffic for suspicious activity related to n8n instances, such as unusual API calls or connections to malicious domains.
• Regularly review and update n8n workflows to ensure they are secure and do not contain any malicious code.

Attack Chain

1. An attacker gains authenticated access to an n8n instance.
2. The attacker obtains access to a shared workflow.
3. The attacker identifies a credential ID belonging to another user within the n8n instance.
4. The attacker crafts a request to a vulnerable dynamic-node-parameters endpoint, injecting the foreign credential ID into the request body.
5. The n8n backend, failing to validate the attacker’s authorization to use the specified credential, decrypts the targeted credential.
6. The attacker controls the destination URL in the request, pointing it to attacker-controlled infrastructure.
7. The n8n backend authenticates against the attacker-controlled infrastructure using the decrypted credential, sending the API key to the attacker.
8. The attacker captures the API key and uses it to access resources or data accessible to the compromised credential.

Impact

Successful exploitation of this vulnerability (CVE-2026-42226) allows an attacker to exfiltrate API keys belonging to other n8n users. This can lead to unauthorized access to external services and data, depending on the permissions granted to the compromised credentials. The impact is significant, potentially affecting all n8n instances running vulnerable versions (prior to 2.18.0). The severity is rated as high due to the ease of exploitation and the potential for significant data breaches.

Recommendation

• Upgrade n8n to version 2.18.0 or later to patch the vulnerability (CVE-2026-42226).
• Deploy the Sigma rule Detect n8n Foreign Credential ID in dynamic-node-parameters to identify attempts to exploit this vulnerability.
• Implement stricter access controls and limit workflow sharing to trusted users as a short-term mitigation, as suggested in the overview.