n8n-MCP Authenticated Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in n8n-MCP versions prior to 2.47.4. This vulnerability allows an authenticated user with a valid AUTH_TOKEN to manipulate the server into making HTTP requests to arbitrary URLs. The exploitation takes advantage of multi-tenant HTTP headers, with the response bodies being returned through JSON-RPC. As a result, an attacker could access sensitive data from cloud instance metadata endpoints, internal network services, or any other reachable host.

Impact

Exploitation of this vulnerability allows for authenticated server-side request forgery, with the potential to access sensitive data from cloud metadata endpoints and internal network services.

Reproduction

To reproduce this vulnerability, an authenticated user must send a request with a valid AUTH_TOKEN and include arbitrary URLs in the multi-tenant HTTP headers. The server will then make a request to the specified URL and return the response body through JSON-RPC.

Remediation

Users are advised to upgrade to n8n-MCP version 2.47.4 or later. The update includes validation and normalization of URLs to prevent SSRF. No additional configuration changes are necessary.