CVE-2026-44694
Authenticated SSRF in n8n-MCP Server
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| n8n | n8n | From 2.18.7 (inc) to 2.50.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authenticated server-side request forgery (SSRF) issue in the n8n-MCP server versions from 2.18.7 up to but not including 2.50.2. It affects the webhook trigger tools, the n8n API client (N8N_API_URL), and URLs provided via the x-n8n-url header when running in multi-tenant HTTP mode. Essentially, an authenticated user can exploit this flaw to make the server send unauthorized requests to internal or external systems.
How can this vulnerability impact me? :
The impact of this vulnerability includes the potential for an attacker with authentication to cause the server to make unintended requests, which could lead to unauthorized access to internal resources, data leakage, or interaction with internal services that are not normally exposed. This can compromise the confidentiality and integrity of the affected system and its data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade n8n-MCP to version 2.50.2 or later, where the authenticated server-side request forgery issue has been patched.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users to perform server-side request forgery (SSRF) attacks that can lead to internal service enumeration and credential theft, including temporary IAM, GCP service account, and Azure managed-identity credentials.
Such unauthorized access and potential credential theft could lead to exposure of sensitive data or unauthorized access to internal systems, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of personal and sensitive information.
Operators are advised to upgrade to the patched version 2.50.2 and apply recommended security configurations to mitigate the risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability allows authenticated users to make HTTP requests from the n8n-mcp host to internal services and cloud metadata endpoints, which can be detected by monitoring unusual outbound HTTP requests from the n8n-mcp server, especially those targeting internal IP ranges or cloud metadata IP addresses.
Detection can involve checking logs for requests that use the webhook trigger tools, the n8n API client (N8N_API_URL), or the x-n8n-url header in multi-tenant HTTP mode, as these are the vectors for the SSRF.
Suggested commands include network monitoring tools or log inspection commands such as:
- Using tcpdump or similar to monitor outbound HTTP requests from the n8n-mcp host: tcpdump -i <interface> 'tcp port 80 or tcp port 443'
- Grep logs for suspicious webhook or API client requests containing unusual URLs or internal IP addresses: grep -iE 'x-n8n-url|N8N_API_URL' /path/to/n8n-mcp/logs/*
- Check for HTTP requests to cloud metadata IP ranges (e.g., 169.254.169.254 for AWS, GCP, Azure) from the n8n-mcp server.
Operators should also verify the configuration of WEBHOOK_SECURITY_MODE to ensure it is set appropriately to restrict SSRF attack vectors.