The vulnerability CVE-2026-39974 in n8n-mcp (versions before 2.47.4) allows an authenticated user possessing a valid AUTH_TOKEN to exploit a Server-Side Request Forgery (SSRF) via multi-tenant HTTP headers. This enables the attacker to make the server issue HTTP requests to arbitrary URLs accessible from the server's network environment. The responses from these requests are returned through JSON-RPC, allowing the attacker to read potentially sensitive data from internal or cloud metadata endpoints (e.g., AWS IMDS, GCP, Azure). The issue primarily impacts multi-tenant HTTP deployments where multiple operators or less-trusted clients share tokens. The vulnerability is resolved in version 2.47.4. Since n8n-mcp is offered as a cloud service, the vendor typically applies patches server-side.

An attacker with valid authentication can leverage this SSRF vulnerability to access sensitive internal network resources and cloud metadata endpoints that the server can reach. This can lead to unauthorized disclosure of confidential information, including cloud instance credentials and internal service data. The vulnerability does not allow unauthenticated access and requires a valid AUTH_TOKEN, limiting exposure to authenticated users in multi-tenant environments. There is no indication of known exploits in the wild at this time.

A fix for this vulnerability is available in n8n-mcp version 2.47.4. Since n8n-mcp is a cloud-hosted service, the vendor manages remediation and typically applies patches server-side. Users should verify with the vendor advisory that their deployment is updated to version 2.47.4 or later. Deployments that are single-tenant or do not use multi-tenant HTTP headers are not affected. No additional mitigation actions are indicated by the vendor advisory.