CVE-2026-39974
HIGH8.5EPSS 0.01%n8n-mcp has authenticated SSRF via instance-URL header in multi-tenant HTTP mode
描述
## Impact An authenticated Server-Side Request Forgery in `n8n-mcp` allows a caller holding a valid `AUTH_TOKEN` to cause the server to issue HTTP requests to arbitrary URLs supplied through multi-tenant HTTP headers. Response bodies are reflected back through JSON-RPC, so an attacker can read the contents of any URL the server can reach — including cloud instance metadata endpoints (AWS IMDS, GCP, Azure, Alibaba, Oracle), internal network services, and any other host the server process has network access to. The primary at-risk deployments are multi-tenant HTTP installations where more than one operator can present a valid `AUTH_TOKEN`, or where a token is shared with less-trusted clients. Single-tenant stdio deployments and HTTP deployments without multi-tenant headers are not affected. ## Affected versions `n8n-mcp` ≤ `2.47.3` (all versions up to and including 2.47.3). ## Patched versions `n8n-mcp` `2.47.4` and later. ## Workarounds If you cannot immediately upgrade: 1. **Egress filtering at the network layer** — block outbound traffic from the `n8n-mcp` container to RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local `169.254.0.0/16`, and any other internal ranges. This defends against any future SSRF-class issue and is recommended even after upgrading. 2. **Disable multi-tenant headers** — if your deployment does not require per-request instance switching, unset `ENABLE_MULTI_TENANT` and do not accept `x-n8n-url` / `x-n8n-key` headers at the reverse proxy. 3. **Restrict `AUTH_TOKEN` distribution** — ensure the bearer token is only held by fully trusted operators until you can upgrade. ## Remediation Upgrade to `n8n-mcp` 2.47.4 or later. No configuration changes are required; the fix adds validation at the URL entry points and normalizes URLs at the API client layer. ## Credits Reported by the Eresus Security Research Team. @ibrahmsql
受影響套件(1)
- npm/n8n-mcpfrom 0, < 2.47.4
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-39974
- PATCHhttps://github.com/czlonkowski/n8n-mcp
- WEBhttps://github.com/czlonkowski/n8n-mcp/commit/d9d847f230923d96e0857ccecf3a4dedcc9b0096
- WEBhttps://github.com/czlonkowski/n8n-mcp/releases/tag/v2.47.4
- WEBhttps://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-4ggg-h7ph-26qr