2.47.5
CVE-2026-39974 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in n8n-mcp, a Model Context Protocol (MCP) server used by n8n. This flaw allows authenticated attackers to manipulate the server into making HTTP requests to arbitrary URLs, potentially exposing sensitive internal resources. The vulnerability affects versions of n8n-mcp up to and including 2.47.4, and a patch is available in version 2.47.4.
The SSRF vulnerability in n8n-mcp poses a significant risk because it allows an attacker to leverage the server's privileges to access resources it would normally be restricted from. An authenticated attacker, possessing a valid AUTH_TOKEN, can craft malicious HTTP requests through multi-tenant headers, causing the n8n-mcp server to fetch data from any URL the server can reach. This includes sensitive cloud instance metadata endpoints like AWS IMDS, GCP, Azure, Alibaba, and Oracle, potentially revealing credentials, API keys, and other confidential information. The attacker can then reflect these responses back through JSON-RPC, effectively exfiltrating data. The blast radius extends to any internal network accessible by the n8n-mcp server.
CVE-2026-39974 was publicly disclosed on 2026-04-09. The vulnerability is not currently listed on CISA KEV, and there is no known EPSS score. No public proof-of-concept (PoC) code has been released at the time of writing, but the SSRF nature of the vulnerability makes it likely that a PoC will emerge. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-39974 is to immediately upgrade n8n-mcp to version 2.47.4 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict network access to the n8n-mcp server to only necessary resources. Implement strict input validation on any data received from external sources. Consider using a Web Application Firewall (WAF) or proxy to filter outbound HTTP requests and block requests to suspicious URLs. Monitor n8n-mcp logs for unusual outbound HTTP requests. After upgrading, confirm the fix by attempting to trigger an HTTP request to an external URL and verifying that the request is blocked or denied.
Update to version 2.47.4 or higher to mitigate the SSRF vulnerability. This update fixes the issue by validating the URLs to which HTTP requests are made, preventing an authenticated attacker from forcing the server to make requests to arbitrary URLs.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39974 is a Server-Side Request Forgery (SSRF) vulnerability in n8n-mcp, allowing authenticated attackers to make HTTP requests to arbitrary URLs.
You are affected if you are using n8n-mcp versions 2.47.4 or earlier. Upgrade to 2.47.4 to mitigate the risk.
Upgrade n8n-mcp to version 2.47.4 or later. Implement temporary workarounds like restricting network access and using a WAF if immediate upgrade is not possible.
There is no confirmed active exploitation at this time, but the SSRF nature of the vulnerability suggests potential for exploitation.
Refer to the official n8n security advisory for details and updates: [https://n8n.io/security/advisories](https://n8n.io/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.