CVE-2026-39974: CWE-918: Server-Side Request Forgery (SSRF) in czlonkowski n8n-mcp
n8n-MCP is a Model Context Protocol (MCP) server that provides AI assistants with comprehensive access to n8n node documentation, properties, and operations. Prior to 2.47.4, an authenticated Server-Side Request Forgery in n8n-mcp allows a caller holding a valid AUTH_TOKEN to cause the server to issue HTTP requests to arbitrary URLs supplied through multi-tenant HTTP headers. Response bodies are reflected back through JSON-RPC, so an attacker can read the contents of any URL the server can reach — including cloud instance metadata endpoints (AWS IMDS, GCP, Azure, Alibaba, Oracle), internal network services, and any other host the server process has network access to. The primary at-risk deployments are multi-tenant HTTP installations where more than one operator can present a valid AUTH_TOKEN, or where a token is shared with less-trusted clients. Single-tenant stdio deployments and HTTP deployments without multi-tenant headers are not affected. This vulnerability is fixed in 2.47.4.
AI Analysis
Technical Summary
The vulnerability in n8n-mcp (CVE-2026-39974) is an authenticated SSRF issue affecting versions prior to 2.47.4. An attacker with a valid AUTH_TOKEN in multi-tenant HTTP environments can supply arbitrary URLs via multi-tenant HTTP headers, causing the server to issue HTTP requests to those URLs. The server reflects response bodies back through JSON-RPC, enabling attackers to read data from internal services and cloud instance metadata endpoints (e.g., AWS IMDS, GCP, Azure). This can lead to exposure of sensitive internal information. Single-tenant stdio deployments and HTTP deployments without multi-tenant headers are not vulnerable. The vendor has released version 2.47.4 to address this issue. Since n8n-mcp is a cloud service, the vendor typically handles patching for hosted environments.
Potential Impact
An attacker with authenticated access (valid AUTH_TOKEN) in multi-tenant HTTP deployments can exploit this SSRF vulnerability to make the server request arbitrary internal or external URLs. This can lead to unauthorized disclosure of sensitive information, including cloud instance metadata and internal network services data. The vulnerability does not allow denial of service or integrity modification but has high confidentiality impact. Single-tenant and non-multi-tenant HTTP deployments are not impacted.
Mitigation Recommendations
A fixed version (2.47.4) is available that addresses this SSRF vulnerability. For cloud-hosted instances of n8n-mcp, the vendor manages remediation and patch deployment. Users should verify that their environment is updated to version 2.47.4 or later. If operating multi-tenant HTTP deployments, ensure that only trusted clients hold AUTH_TOKENs and consider limiting token sharing. Single-tenant and non-multi-tenant HTTP deployments are not affected and require no action specific to this vulnerability. Patch status is confirmed by the vendor advisory stating the fix is in 2.47.4.
CVE-2026-39974: CWE-918: Server-Side Request Forgery (SSRF) in czlonkowski n8n-mcp
Description
n8n-MCP is a Model Context Protocol (MCP) server that provides AI assistants with comprehensive access to n8n node documentation, properties, and operations. Prior to 2.47.4, an authenticated Server-Side Request Forgery in n8n-mcp allows a caller holding a valid AUTH_TOKEN to cause the server to issue HTTP requests to arbitrary URLs supplied through multi-tenant HTTP headers. Response bodies are reflected back through JSON-RPC, so an attacker can read the contents of any URL the server can reach — including cloud instance metadata endpoints (AWS IMDS, GCP, Azure, Alibaba, Oracle), internal network services, and any other host the server process has network access to. The primary at-risk deployments are multi-tenant HTTP installations where more than one operator can present a valid AUTH_TOKEN, or where a token is shared with less-trusted clients. Single-tenant stdio deployments and HTTP deployments without multi-tenant headers are not affected. This vulnerability is fixed in 2.47.4.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in n8n-mcp (CVE-2026-39974) is an authenticated SSRF issue affecting versions prior to 2.47.4. An attacker with a valid AUTH_TOKEN in multi-tenant HTTP environments can supply arbitrary URLs via multi-tenant HTTP headers, causing the server to issue HTTP requests to those URLs. The server reflects response bodies back through JSON-RPC, enabling attackers to read data from internal services and cloud instance metadata endpoints (e.g., AWS IMDS, GCP, Azure). This can lead to exposure of sensitive internal information. Single-tenant stdio deployments and HTTP deployments without multi-tenant headers are not vulnerable. The vendor has released version 2.47.4 to address this issue. Since n8n-mcp is a cloud service, the vendor typically handles patching for hosted environments.
Potential Impact
An attacker with authenticated access (valid AUTH_TOKEN) in multi-tenant HTTP deployments can exploit this SSRF vulnerability to make the server request arbitrary internal or external URLs. This can lead to unauthorized disclosure of sensitive information, including cloud instance metadata and internal network services data. The vulnerability does not allow denial of service or integrity modification but has high confidentiality impact. Single-tenant and non-multi-tenant HTTP deployments are not impacted.
Mitigation Recommendations
A fixed version (2.47.4) is available that addresses this SSRF vulnerability. For cloud-hosted instances of n8n-mcp, the vendor manages remediation and patch deployment. Users should verify that their environment is updated to version 2.47.4 or later. If operating multi-tenant HTTP deployments, ensure that only trusted clients hold AUTH_TOKENs and consider limiting token sharing. Single-tenant and non-multi-tenant HTTP deployments are not affected and require no action specific to this vulnerability. Patch status is confirmed by the vendor advisory stating the fix is in 2.47.4.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-08T00:01:47.628Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 69d7dc7c1cc7ad14daf451d9
Added to database: 4/9/2026, 5:06:04 PM
Last enriched: 4/17/2026, 11:54:38 AM
Last updated: 5/25/2026, 2:38:36 AM
Views: 136
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.