Listen to this Post
How the mentioned CVE works:
The vulnerability exists in n8n-mcp versions ≤2.47.3 when deployed in multi-tenant HTTP mode. An attacker who possesses a valid `AUTH_TOKEN` can manipulate HTTP headers that control backend requests. Specifically, the headers `x-n8n-url` and `x-n8n-key` are used to switch instances per request. Due to insufficient validation, an authenticated caller can set `x-n8n-url` to an arbitrary URL (e.g., `http://169.254.169.254/latest/meta-data/`). The server then initiates an HTTP request to that attacker-controlled URL. The response body from the target URL is read and reflected back to the attacker via the JSON-RPC response channel. This allows the attacker to probe internal networks, access cloud metadata endpoints, and interact with any host reachable from the server process. The attack does not require any additional privileges beyond a valid bearer token. The SSRF is blind in the sense that the response is returned, making it fully exploitable for data exfiltration. Multi-tenant deployments where multiple operators share the same token are most at risk. Single-tenant stdio deployments and HTTP deployments without the multi-tenant headers are not affected because the vulnerable header processing is disabled.
dailycve form:
Platform: n8n-mcp
Version: ≤2.47.3
Vulnerability: SSRF
Severity: Critical
date: 2026-04-09
Prediction: Patched in 2.47.4
What Undercode Say:
Check if multi-tenant headers are enabled curl -H "Authorization: Bearer $AUTH_TOKEN" \ -H "x-n8n-url: http://169.254.169.254/latest/meta-data/" \ http://target-n8n:5678/api/endpoint Egress filtering using iptables (defense) iptables -A OUTPUT -d 10.0.0.0/8 -j DROP iptables -A OUTPUT -d 172.16.0.0/12 -j DROP iptables -A OUTPUT -d 192.168.0.0/16 -j DROP iptables -A OUTPUT -d 169.254.0.0/16 -j DROP
Exploit:
Send authenticated JSON-RPC request with malicious `x-n8n-url` header pointing to internal resource. Receive reflected response.
Protection from this CVE:
Upgrade to v2.47.4 or later. Apply egress filtering. Disable `ENABLE_MULTI_TENANT` if not needed.
Impact:
Internal network scan, cloud metadata theft, arbitrary URL read from server context.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

