Skip to main content

Oracle CVE-2026-39974

| EUVDEUVD-2026-20968 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-08 https://github.com/czlonkowski/n8n-mcp GHSA-4ggg-h7ph-26qr
8.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

5
Re-analysis Queued
Apr 20, 2026 - 18:37 vuln.today
cvss_changed
EUVD ID Assigned
Apr 09, 2026 - 14:45 euvd
EUVD-2026-20968
Analysis Generated
Apr 09, 2026 - 14:45 vuln.today
Patch released
Apr 09, 2026 - 14:45 nvd
Patch available
CVE Published
Apr 08, 2026 - 19:53 nvd
HIGH 8.5

DescriptionGitHub Advisory

Impact

An authenticated Server-Side Request Forgery in n8n-mcp allows a caller holding a valid AUTH_TOKEN to cause the server to issue HTTP requests to arbitrary URLs supplied through multi-tenant HTTP headers. Response bodies are reflected back through JSON-RPC, so an attacker can read the contents of any URL the server can reach - including cloud instance metadata endpoints (AWS IMDS, GCP, Azure, Alibaba, Oracle), internal network services, and any other host the server process has network access to.

The primary at-risk deployments are multi-tenant HTTP installations where more than one operator can present a valid AUTH_TOKEN, or where a token is shared with less-trusted clients. Single-tenant stdio deployments and HTTP deployments without multi-tenant headers are not affected.

Affected versions

n8n-mcp2.47.3 (all versions up to and including 2.47.3).

Patched versions

n8n-mcp 2.47.4 and later.

Workarounds

If you cannot immediately upgrade:

  1. Egress filtering at the network layer - block outbound traffic from the n8n-mcp container to RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local 169.254.0.0/16, and any other internal ranges. This defends against any future SSRF-class issue and is recommended even after upgrading.
  2. Disable multi-tenant headers - if your deployment does not require per-request instance switching, unset ENABLE_MULTI_TENANT and do not accept x-n8n-url / x-n8n-key headers at the reverse proxy.
  3. Restrict AUTH_TOKEN distribution - ensure the bearer token is only held by fully trusted operators until you can upgrade.

Remediation

Upgrade to n8n-mcp 2.47.4 or later. No configuration changes are required; the fix adds validation at the URL entry points and normalizes URLs at the API client layer.

Credits

Reported by the Eresus Security Research Team. @ibrahmsql

AnalysisAI

Server-Side Request Forgery in n8n-mcp (npm package) versions ≤2.47.3 allows authenticated attackers with valid AUTH_TOKEN to force the server to issue HTTP requests to arbitrary URLs via manipulated multi-tenant HTTP headers (x-n8n-url, x-n8n-key). Response bodies are reflected through JSON-RPC, enabling unauthorized access to cloud instance metadata endpoints (AWS IMDS, GCP, Azure, Oracle, Alibaba), internal network services, and any host reachable by the server process. Multi-tenant HTTP deployments with shared or multiple AUTH_TOKENs are at highest risk. No public exploit identified at time of analysis.

Technical ContextAI

CWE-918 SSRF arises from insufficient validation of user-controlled URLs passed through multi-tenant HTTP headers before server-issued requests. The vulnerability permits URL reflection in JSON-RPC responses, enabling metadata exfiltration. Patch 2.47.4 implements URL entry-point validation and client-layer normalization. Single-tenant stdio deployments remain unaffected.

RemediationAI

Vendor-released patch: upgrade to n8n-mcp version 2.47.4 or later; no configuration changes required. If immediate upgrade is not feasible, implement network-layer egress filtering to block outbound traffic to RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local 169.254.0.0/16, and cloud metadata endpoints. Disable ENABLE_MULTI_TENANT flag and reject x-n8n-url/x-n8n-key headers at reverse proxy if multi-tenant functionality is unnecessary. Restrict AUTH_TOKEN distribution to fully trusted operators only. Official advisory and patch details: https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-4ggg-h7ph-26qr and commit https://github.com/czlonkowski/n8n-mcp/commit/d9d847f230923d96e0857ccecf3a4dedcc9b0096

Share

CVE-2026-39974 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy