Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-44694

n8n-mcp webhook and API client paths has an authenticated SSRF
Back to all
CVE

CVE-2026-44694

n8n-mcp webhook and API client paths has an authenticated SSRF

Summary

Authenticated Server-Side Request Forgery affecting the webhook trigger tools, the n8n API client (N8NAPIURL), and per-request URLs supplied via the x-n8n-url header in multi-tenant HTTP mode.

Impact

A caller with access to the MCP session can drive HTTP requests from the n8n-mcp host to internal services and cloud metadata endpoints that the SSRF gate is meant to block. The response body is returned to the caller, making internal-service enumeration and credential theft immediate without any out-of-band channel.

  • Multi-tenant HTTP deployments where tenants share an AUTH_TOKEN: any tenant with valid credentials can reach the operator's cloud metadata service and exfiltrate temporary IAM / GCP service account / Azure managed-identity credentials.
  • Single-tenant deployments: indirect prompt injection through tool arguments reaches the same surface; an attacker who can influence the LLM's tool calls can read internal services from the n8n-mcp host.
  • Stdio deployments are reachable via the same prompt-injection path.

Patched Versions

Fixed in n8n-mcp@2.50.2.

Note for operators: The same SSRF gate that previously covered webhook URLs now also covers the n8n API client base URL. If N8NAPIURL points at http://localhost:5678 (n8n on the same host) or an RFC1918 address (n8n on the same private network), set WEBHOOKSECURITYMODE=moderate (allows localhost, still blocks RFC1918 and cloud metadata) or WEBHOOKSECURITYMODE=permissive (allows RFC1918 too — only safe on a trusted private network). Default strict is correct for deployments where n8n is reachable at a public hostname.

Workarounds

For deployments that cannot upgrade immediately:

  1. Restrict network egress from the n8n-mcp host with a firewall, reverse proxy, or cloud security group. Explicitly deny cloud metadata IPs (169.254.169.254169.254.170.2100.100.100.200192.0.0.192, and the GCP metadata.google.internal resolved IP) and any RFC1918 networks the server does not legitimately need to reach.
  2. Run in stdio mode instead of HTTP if the multi-tenant surface is not needed (no shared AUTH_TOKEN to compromise).
  3. Disable workflow management tools via DISABLEDTOOLS=n8ntriggerwebhookworkflow,n8ncreateworkflow,n8ntestworkflow if the deployment does not need them.

Credit

Reported by @fg0x0.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.2
-
4.0
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
-

Related Resources

No items found.

References

https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-cmrh-wvq6-wm9r, https://nvd.nist.gov/vuln/detail/CVE-2026-44694, https://github.com/czlonkowski/n8n-mcp/commit/bcaba839409d470abeb4a6ad9b361b553a1098eb, https://github.com/czlonkowski/n8n-mcp, https://github.com/czlonkowski/n8n-mcp/releases/tag/v2.50.2

Severity

9.1

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
9.1
EPSS Probability
0.00033%
EPSS Percentile
0.09703%
Introduced Version
2.18.7
Fix Available
2.50.2

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading