CVE-2026-39974

High

Published: 09 April 2026

Published

09 April 2026

Modified

20 April 2026

KEV Added

—

Patch

—

CVSS Score 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

EPSS Score 0.0003 9.2th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-39974 is a high-severity SSRF (CWE-918) vulnerability in N8N-Mcp N8N-Mcp. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Cloud Instance Metadata API (T1522); ranked at the 9.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Cloud Instance Metadata API (T1522) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of arbitrary URLs supplied through multi-tenant HTTP headers to prevent the server from issuing requests to unauthorized destinations.

SC-7 Boundary Protection good match

prevent

Enforces boundary protection to monitor and control outbound communications, blocking access to internal network services and cloud metadata endpoints.

SI-15 Information Output Filtering good match

prevent

Filters outbound information transfers to restricted destinations, preventing SSRF requests to sensitive URLs like AWS IMDS or internal hosts.

MITRE ATT&CK Enterprise TechniquesAI

T1522 Cloud Instance Metadata API Credential Access

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.

attack.mitre.org →

T1552.005 Cloud Instance Metadata API Credential Access

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.

attack.mitre.org →

Why these techniques?

The authenticated SSRF vulnerability directly enables attackers to supply arbitrary URLs (including cloud metadata endpoints like AWS IMDS, GCP, Azure) via multi-tenant headers, allowing the server to fetch and reflect responses, which facilitates querying Cloud Instance Metadata API for credentials and sensitive data.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

n8n-MCP is a Model Context Protocol (MCP) server that provides AI assistants with comprehensive access to n8n node documentation, properties, and operations. Prior to 2.47.4, an authenticated Server-Side Request Forgery in n8n-mcp allows a caller holding a valid AUTH_TOKEN to…

cause the server to issue HTTP requests to arbitrary URLs supplied through multi-tenant HTTP headers. Response bodies are reflected back through JSON-RPC, so an attacker can read the contents of any URL the server can reach — including cloud instance metadata endpoints (AWS IMDS, GCP, Azure, Alibaba, Oracle), internal network services, and any other host the server process has network access to. The primary at-risk deployments are multi-tenant HTTP installations where more than one operator can present a valid AUTH_TOKEN, or where a token is shared with less-trusted clients. Single-tenant stdio deployments and HTTP deployments without multi-tenant headers are not affected. This vulnerability is fixed in 2.47.4.

Deeper analysisAI

CVE-2026-39974 is an authenticated Server-Side Request Forgery (SSRF) vulnerability, mapped to CWE-918, affecting n8n-MCP versions prior to 2.47.4. n8n-MCP is a Model Context Protocol (MCP) server designed to provide AI assistants with access to n8n node documentation, properties, and operations. The issue arises when a caller with a valid AUTH_TOKEN supplies arbitrary URLs through multi-tenant HTTP headers, tricking the server into issuing HTTP requests to those destinations and reflecting the response bodies back via JSON-RPC.

Exploitation targets multi-tenant HTTP deployments where multiple operators can use valid AUTH_TOKENs or tokens are shared with less-trusted clients. An authenticated attacker can read contents from any URL reachable by the server process, including cloud instance metadata endpoints such as AWS IMDS, GCP, Azure, Alibaba, and Oracle, as well as internal network services. Single-tenant stdio deployments and HTTP setups without multi-tenant headers remain unaffected. The vulnerability carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N), highlighting high confidentiality impact across a scoped network.

Mitigation is available by upgrading to n8n-MCP version 2.47.4, which addresses the flaw. Official details are provided in the GitHub security advisory (GHSA-4ggg-h7ph-26qr), release notes for v2.47.4, and the fixing commit (d9d847f230923d96e0857ccecf3a4dedcc9b0096).

Details

CWE(s): CWE-918

Affected Products

n8n-mcp

≤ 2.47.4

AI Security AnalysisAI

AI Category: AI Agent Protocols and Integrations
Risk Domain: Protocol-Specific Risks
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Matched keywords: mcp, model context protocol, mcp, ai, mcp

CVEs Like This One

CVE-2026-27479Shared CWE-918

CVE-2026-33679Shared CWE-918

CVE-2026-34936Shared CWE-918

CVE-2026-41297Shared CWE-918

CVE-2026-27826Shared CWE-918

CVE-2026-39885Shared CWE-918

CVE-2026-26324Shared CWE-918

CVE-2026-31945Shared CWE-918

CVE-2026-32133Shared CWE-918

CVE-2026-27732Shared CWE-918

References

https://github.com/czlonkowski/n8n-mcp/commit/d9d847f230923d96e0857ccecf3a4dedcc9b0096
Patch · security-advisories@github.com
https://github.com/czlonkowski/n8n-mcp/releases/tag/v2.47.4
Release Notes · security-advisories@github.com
https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-4ggg-h7ph-26qr
Vendor Advisory · security-advisories@github.com