Threat Advisory

n8n-mcp webhook and API client paths has an authenticated SSRF Vulnerability

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-44694 with a CVSS score of 7.2 is a Server-Side Request Forgery (SSRF) vulnerability affecting the webhook trigger tools, the n8n API client (`N8N_API_URL`), and per-request URLs supplied via the `x-n8n-url` header in multi-tenant HTTP mode in the npm package `n8n-mcp` from version 2.18.7 to before version 2.50.2. An authenticated attacker with access to the MCP session can exploit this vulnerability by driving HTTP requests from the n8n-mcp host to internal services and cloud metadata endpoints, enabling internal-service enumeration and credential theft without an out-of-band channel. The attacker gains the capability to access internal services and steal credentials, which can lead to business impact and consequences such as unauthorized access to sensitive data and potential financial losses. This exploitation requires a valid MCP session and access to the n8n-mcp host, as well as the ability to influence tool calls in single-tenant deployments or reach the operator's cloud metadata service in multi-tenant deployments.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-44694 with a CVSS score of 7.2 is a Server-Side Request Forgery (SSRF) vulnerability affecting the webhook trigger tools, the n8n API client (`N8N_API_URL`), and per-request URLs supplied via the `x-n8n-url` header in multi-tenant HTTP mode in the npm package `n8n-mcp` from version 2.18.7 to before version 2.50.2. An authenticated attacker with access to the MCP session can exploit this vulnerability by driving HTTP requests from the n8n-mcp host to internal services and cloud metadata endpoints, enabling internal-service enumeration and credential theft without an out-of-band channel. The attacker gains the capability to access internal services and steal credentials, which can lead to business impact and consequences such as unauthorized access to sensitive data and potential financial losses. This exploitation requires a valid MCP session and access to the n8n-mcp host, as well as the ability to influence tool calls in single-tenant deployments or reach the operator's cloud metadata service in multi-tenant deployments.[emaillocker id="1283"]

RECOMMENDATION:

We recommend you to update n8n-mcp to version 2.50.2.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-cmrh-wvq6-wm9r

[/emaillocker]
crossmenu