{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39974", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-08T00:01:47.628Z", "datePublished": "2026-04-09T16:45:20.490Z", "dateUpdated": "2026-04-13T20:09:26.781Z"}, "containers": {"cna": {"title": "n8n-MCP has an Authenticated SSRF via instance-URL header in multi-tenant HTTP mode", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-4ggg-h7ph-26qr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-4ggg-h7ph-26qr"}, {"name": "https://github.com/czlonkowski/n8n-mcp/commit/d9d847f230923d96e0857ccecf3a4dedcc9b0096", "tags": ["x_refsource_MISC"], "url": "https://github.com/czlonkowski/n8n-mcp/commit/d9d847f230923d96e0857ccecf3a4dedcc9b0096"}, {"name": "https://github.com/czlonkowski/n8n-mcp/releases/tag/v2.47.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/czlonkowski/n8n-mcp/releases/tag/v2.47.4"}], "affected": [{"vendor": "czlonkowski", "product": "n8n-mcp", "versions": [{"version": "< 2.47.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T16:45:20.490Z"}, "descriptions": [{"lang": "en", "value": "n8n-MCP is a Model Context Protocol (MCP) server that provides AI assistants with comprehensive access to n8n node documentation, properties, and operations. Prior to 2.47.4, an authenticated Server-Side Request Forgery in n8n-mcp allows a caller holding a valid AUTH_TOKEN to cause the server to issue HTTP requests to arbitrary URLs supplied through multi-tenant HTTP headers. Response bodies are reflected back through JSON-RPC, so an attacker can read the contents of any URL the server can reach \u2014 including cloud instance metadata endpoints (AWS IMDS, GCP, Azure, Alibaba, Oracle), internal network services, and any other host the server process has network access to. The primary at-risk deployments are multi-tenant HTTP installations where more than one operator can present a valid AUTH_TOKEN, or where a token is shared with less-trusted clients. Single-tenant stdio deployments and HTTP deployments without multi-tenant headers are not affected. This vulnerability is fixed in 2.47.4."}], "source": {"advisory": "GHSA-4ggg-h7ph-26qr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T20:09:16.284220Z", "id": "CVE-2026-39974", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T20:09:26.781Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39974", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T20:09:16.284220Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T20:09:23.319Z"}}], "cna": {"title": "n8n-MCP has an Authenticated SSRF via instance-URL header in multi-tenant HTTP mode", "source": {"advisory": "GHSA-4ggg-h7ph-26qr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "czlonkowski", "product": "n8n-mcp", "versions": [{"status": "affected", "version": "< 2.47.4"}]}], "references": [{"url": "https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-4ggg-h7ph-26qr", "name": "https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-4ggg-h7ph-26qr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/czlonkowski/n8n-mcp/commit/d9d847f230923d96e0857ccecf3a4dedcc9b0096", "name": "https://github.com/czlonkowski/n8n-mcp/commit/d9d847f230923d96e0857ccecf3a4dedcc9b0096", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/czlonkowski/n8n-mcp/releases/tag/v2.47.4", "name": "https://github.com/czlonkowski/n8n-mcp/releases/tag/v2.47.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "n8n-MCP is a Model Context Protocol (MCP) server that provides AI assistants with comprehensive access to n8n node documentation, properties, and operations. Prior to 2.47.4, an authenticated Server-Side Request Forgery in n8n-mcp allows a caller holding a valid AUTH_TOKEN to cause the server to issue HTTP requests to arbitrary URLs supplied through multi-tenant HTTP headers. Response bodies are reflected back through JSON-RPC, so an attacker can read the contents of any URL the server can reach \u2014 including cloud instance metadata endpoints (AWS IMDS, GCP, Azure, Alibaba, Oracle), internal network services, and any other host the server process has network access to. The primary at-risk deployments are multi-tenant HTTP installations where more than one operator can present a valid AUTH_TOKEN, or where a token is shared with less-trusted clients. Single-tenant stdio deployments and HTTP deployments without multi-tenant headers are not affected. This vulnerability is fixed in 2.47.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T16:45:20.490Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39974", "state": "PUBLISHED", "dateUpdated": "2026-04-13T20:09:26.781Z", "dateReserved": "2026-04-08T00:01:47.628Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-09T16:45:20.490Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:n8n-mcp:n8n-mcp:*:*:*:*:*:*:*:*", "matchCriteriaId": "7CAAB9F8-4304-40CE-8A09-81BCE0D42741", "versionEndExcluding": "2.47.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "n8n-MCP is a Model Context Protocol (MCP) server that provides AI assistants with comprehensive access to n8n node documentation, properties, and operations. Prior to 2.47.4, an authenticated Server-Side Request Forgery in n8n-mcp allows a caller holding a valid AUTH_TOKEN to cause the server to issue HTTP requests to arbitrary URLs supplied through multi-tenant HTTP headers. Response bodies are reflected back through JSON-RPC, so an attacker can read the contents of any URL the server can reach \u2014 including cloud instance metadata endpoints (AWS IMDS, GCP, Azure, Alibaba, Oracle), internal network services, and any other host the server process has network access to. The primary at-risk deployments are multi-tenant HTTP installations where more than one operator can present a valid AUTH_TOKEN, or where a token is shared with less-trusted clients. Single-tenant stdio deployments and HTTP deployments without multi-tenant headers are not affected. This vulnerability is fixed in 2.47.4."}], "id": "CVE-2026-39974", "lastModified": "2026-04-20T18:32:37.983", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T17:16:30.933", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/czlonkowski/n8n-mcp/commit/d9d847f230923d96e0857ccecf3a4dedcc9b0096"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/czlonkowski/n8n-mcp/releases/tag/v2.47.4"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-4ggg-h7ph-26qr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.47.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "n8n-mcp", "source": "cna", "vendor": "czlonkowski"}, "product": "n8n-mcp", "vendor": "czlonkowski"}], "analysis": {"en": {"generated_at": "2026-04-09T18:22:54.574411+00:00", "value": {"mitigation_remediation": ["Update n8n\u2011MCP to version 2.47.4 or later", "If upgrading is not immediately possible, restrict or revoke any shared AUTH_TOKENs and ensure tokens are issued only to trusted operators", "Disable multi\u2011tenant HTTP mode or remove the instance\u2011URL header handling in current deployments"], "summary": {"action": "Apply Patch", "impact": "Information Disclosure via Authenticated SSRF"}, "threat_synthesis": {"affected_systems": "The vulnerability affects installations of n8n\u2011MCP up to and including version 2.47.3 that run in multi\u2011tenant HTTP mode. Deployments that are single\u2011tenant STDIO or HTTP without the multi\u2011tenant header are not affected. The issue is resolved in release 2.47.4, where the SSRF vector has been closed.", "description_and_impact": "Authenticated Server\u2011Side Request Forgery exists in n8n\u2011MCP versions prior to 2.47.4. An operator holding a valid AUTH_TOKEN can supply an arbitrary URL in a multi\u2011tenant HTTP header; the server will issue an HTTP request to that URL and return the response body through JSON\u2011RPC. This flaw allows a threat actor who can obtain a token or share it with less\u2011trusted clients to read any content the server can reach, including cloud instance metadata endpoints (AWS IMDS, GCP, Azure, Alibaba, Oracle), internal network services, and arbitrary hosts. The vulnerability is classified as CWE\u2011918 and can lead to significant confidentiality compromises and further exploitation after exposure of credentials or internal topology.", "risk_and_exploitability": "The CVSS score of 8.5 indicates high severity. The vulnerability requires authenticated access; thus the attacker must possess or acquire a valid AUTH_TOKEN. Once authenticated, the exploitation path is straightforward: supply a malicious instance\u2011URL header and read the reflected response. No exploit probability score is provided, and the vulnerability is not listed in CISA\u2019s KEV catalog. The risk remains high for environments that share tokens with less\u2011trusted parties or have lax token control."}}}}, "created": "2026-04-10T08:52:54.961007+00:00", "updated": "2026-04-10T09:32:06.844748+00:00", "vendors": ["czlonkowski", "czlonkowski$PRODUCT$n8n-mcp"]}