CVE-2026-44694
Received Received - Intake
Authenticated SSRF in n8n-MCP Server

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. From version 2.18.7 to before version 2.50.2, there is an authenticated server-side request forgery vulnerability affecting the webhook trigger tools, the n8n API client (N8N_API_URL), and per-request URLs supplied via the x-n8n-url header in multi-tenant HTTP mode. This issue has been patched in version 2.50.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-44694
EUVD
EUVD-2026-28825
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
n8n n8n From 2.18.7 (inc) to 2.50.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an authenticated server-side request forgery (SSRF) issue in the n8n-MCP server versions from 2.18.7 up to but not including 2.50.2. It affects the webhook trigger tools, the n8n API client (N8N_API_URL), and URLs provided via the x-n8n-url header when running in multi-tenant HTTP mode. Essentially, an authenticated user can exploit this flaw to make the server send unauthorized requests to internal or external systems.

Impact Analysis

The impact of this vulnerability includes the potential for an attacker with authentication to cause the server to make unintended requests, which could lead to unauthorized access to internal resources, data leakage, or interaction with internal services that are not normally exposed. This can compromise the confidentiality and integrity of the affected system and its data.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade n8n-MCP to version 2.50.2 or later, where the authenticated server-side request forgery issue has been patched.

Compliance Impact

The vulnerability allows authenticated users to perform server-side request forgery (SSRF) attacks that can lead to internal service enumeration and credential theft, including temporary IAM, GCP service account, and Azure managed-identity credentials.

Such unauthorized access and potential credential theft could lead to exposure of sensitive data or unauthorized access to internal systems, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of personal and sensitive information.

Operators are advised to upgrade to the patched version 2.50.2 and apply recommended security configurations to mitigate the risk.

Detection Guidance

The vulnerability allows authenticated users to make HTTP requests from the n8n-mcp host to internal services and cloud metadata endpoints, which can be detected by monitoring unusual outbound HTTP requests from the n8n-mcp server, especially those targeting internal IP ranges or cloud metadata IP addresses.

Detection can involve checking logs for requests that use the webhook trigger tools, the n8n API client (N8N_API_URL), or the x-n8n-url header in multi-tenant HTTP mode, as these are the vectors for the SSRF.

Suggested commands include network monitoring tools or log inspection commands such as:

  • Using tcpdump or similar to monitor outbound HTTP requests from the n8n-mcp host: tcpdump -i <interface> 'tcp port 80 or tcp port 443'
  • Grep logs for suspicious webhook or API client requests containing unusual URLs or internal IP addresses: grep -iE 'x-n8n-url|N8N_API_URL' /path/to/n8n-mcp/logs/*
  • Check for HTTP requests to cloud metadata IP ranges (e.g., 169.254.169.254 for AWS, GCP, Azure) from the n8n-mcp server.

Operators should also verify the configuration of WEBHOOK_SECURITY_MODE to ensure it is set appropriately to restrict SSRF attack vectors.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44694. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart