n8n-mcp, Multiple Vulnerabilities, CVE-NONE (HIGH)

By /

Listen to this Post

How the mentioned CVE works (three issues):

  1. Path traversal via workflow id – The n8n API client does not validate caller-supplied identifiers before using them as URL path segments. An authenticated MCP caller can provide a crafted workflow id (e.g., ../../admin/endpoint) causing outbound requests bearing the configured n8n API key to land on other same-origin endpoints. This bypasses handler-level access controls including DISABLED_TOOLS.
  2. Redirect-based SSRF – Validated webhook, form, and chat trigger URLs are allowed to follow redirects. A URL that passes initial validation can redirect the outbound request to a previously rejected host. The response body is returned to the caller, enabling non-blind SSRF over authenticated MCP calls.
  3. Telemetry leakage – Mutation telemetry stores unredacted operation payloads. Instances with default opt-in telemetry upload partial-update operation diffs containing node-parameter values (bearer tokens, API keys, webhook secrets) without redaction.

dailycve form:

Platform: n8n-mcp
Version: <2.50.1
Vulnerability: Path+SSRF+Leak
Severity: HIGH
date: 2025-04-15

Prediction: 2025-04-20 (patch already available)

What Undercode Say:

Check vulnerable version
npx n8n-mcp --version
Test for path bypass (authenticated)
curl -X POST http://target-mcp:3000/call \
-H "Authorization: Bearer $MCP_TOKEN" \
-d '{"workflow_id":"../../../admin/config"}'
Disable telemetry workaround
export N8N_MCP_TELEMETRY_DISABLED=true
npx n8n-mcp telemetry disable

Exploit:

Authenticated attacker sends crafted workflow id to reach internal same-origin endpoints (e.g., /internal/stats) with the n8n API key. Redirect chain via attacker-controlled URL exfiltrates response from internal hosts. Telemetry logs capture tokens from workflow updates.

Protection from this CVE:

Upgrade to ≥2.50.1. If not possible: restrict HTTP transport network ACLs to trusted callers; switch to stdio mode; disable telemetry via env var or `telemetry disable` command.

Impact:

Attackers with valid MCP authentication can read internal API responses (SSRF), bypass tool access restrictions, and steal credentials from telemetry data, leading to lateral movement and privilege escalation.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top