n8n-MCP Authenticated Server-Side Request Forgery Vulnerability

A vulnerability allowing authenticated server-side request forgery (SSRF) has been identified in n8n-MCP versions 2.18.7 prior to 2.50.2. This vulnerability affects the webhook trigger tools, the n8n API client (N8N_API_URL), and per-request URLs supplied via the x-n8n-url header in multi-tenant HTTP mode. The issue arises because the SSRF gate, which is supposed to block access to internal services and cloud metadata endpoints, can be bypassed, allowing a caller with access to the MCP session to drive HTTP requests from the n8n-MCP host to these restricted areas.

Impact

Exploitation of this vulnerability allows access to internal services and cloud metadata endpoints that should be blocked, with the response body returned to the caller. In multi-tenant HTTP deployments, any tenant with valid credentials can access the operator's cloud metadata service and exfiltrate sensitive credentials. In single-tenant deployments, the vulnerability can be exploited through indirect prompt injection, reading internal services from the n8n-MCP host. For stdio deployments, the same prompt-injection path is reachable.

Reproduction

To reproduce this vulnerability, deploy n8n-MCP in multi-tenant HTTP mode with a version between 2.18.7 and 2.50.2. Set the N8N_API_URL to point to a localhost or RFC1918 address. Once the environment is set, an authenticated user can trigger a webhook that exploits the SSRF vulnerability, accessing internal services or cloud metadata endpoints.

Remediation

Upgrade to n8n-MCP version 2.50.2 or later. After upgrading, if running n8n on the same host as n8n-MCP, set the WEBHOOK_SECURITY_MODE to moderate to allow localhost while blocking private networks and cloud metadata.