Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN474 _____________________________________________________________________ DATE : 11/05/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running n8n-mcp (npm) versions prior to 2.51.3. ===================================================================== https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-8g7g-hmwm-6rv2 https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-cmrh-wvq6-wm9r https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-f3rg-xqjj-cj9w _____________________________________________________________________ Path traversal, redirect-following SSRF, and telemetry payload exposure in n8n-mcp High czlonkowski published GHSA-8g7g-hmwm-6rv2 May 4, 2026 Package n8n-mcp (npm) Affected versions < 2.50.1 Patched versions 2.50.1 Description Impact n8n-mcp versions before 2.50.1 contained three independently-reported issues affecting deployments that run the n8n API integration: Caller-supplied identifiers were not validated before being used as URL path segments by the n8n API client. An authenticated MCP caller passing a crafted workflow id could cause outbound requests carrying the configured n8n API key to land on other same-origin endpoints, bypassing handler-level access controls (including DISABLED_TOOLS). Validated webhook, form, and chat trigger URLs followed redirects. A URL that passed initial validation could redirect the outbound request to a host that would otherwise have been rejected, with the response body returned to the caller. Reachable as non-blind SSRF over authenticated MCP calls. Mutation telemetry stored unredacted operation payloads. On instances running with the default opt-in telemetry, partial-update operation diffs were uploaded without redaction. Operation values can carry the same node-parameter values the workflow contains, including bearer tokens, API keys, and webhook secrets. Severity CVSS 8.3 (HIGH). Exploitation requires an authenticated MCP caller and an n8n API integration configured with an n8n API key. Patched versions Upgrade to n8n-mcp >= 2.50.1. Workarounds For issues (1) and (2): restrict network access to the HTTP transport (firewall, reverse-proxy ACL, or VPN) so only trusted callers can reach the MCP HTTP port; or switch to stdio mode, which exposes no HTTP surface for these issues. For issue (3): set N8N_MCP_TELEMETRY_DISABLED=true in the environment before starting the server, or run npx n8n-mcp telemetry disable once. Credit Reported by @cybercraftsolutionsllc. Severity High 8.3/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction None Scope Unchanged Confidentiality High Integrity High Availability Low CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L CVE ID No known CVE Weaknesses Weakness CWE-22 Weakness CWE-200 Weakness CWE-918 Credits @cybercraftsolutionsllc cybercraftsolutionsllc Reporter _____________________________________________________________________ Authenticated SSRF in n8n-mcp webhook and API client paths High czlonkowski published GHSA-cmrh-wvq6-wm9r May 4, 2026 Package n8n-mcp (npm) Affected versions >= 2.18.7, < 2.50.2 Patched versions 2.50.2 Description Summary Authenticated Server-Side Request Forgery affecting the webhook trigger tools, the n8n API client (N8N_API_URL), and per-request URLs supplied via the x-n8n-url header in multi-tenant HTTP mode. Impact A caller with access to the MCP session can drive HTTP requests from the n8n-mcp host to internal services and cloud metadata endpoints that the SSRF gate is meant to block. The response body is returned to the caller, making internal-service enumeration and credential theft immediate without any out-of-band channel. Multi-tenant HTTP deployments where tenants share an AUTH_TOKEN: any tenant with valid credentials can reach the operator's cloud metadata service and exfiltrate temporary IAM / GCP service account / Azure managed-identity credentials. Single-tenant deployments: indirect prompt injection through tool arguments reaches the same surface; an attacker who can influence the LLM's tool calls can read internal services from the n8n-mcp host. Stdio deployments are reachable via the same prompt-injection path. Patched Versions Fixed in n8n-mcp@2.50.2. Note for operators: The same SSRF gate that previously covered webhook URLs now also covers the n8n API client base URL. If N8N_API_URL points at http://localhost:5678 (n8n on the same host) or an RFC1918 address (n8n on the same private network), set WEBHOOK_SECURITY_MODE=moderate (allows localhost, still blocks RFC1918 and cloud metadata) or WEBHOOK_SECURITY_MODE=permissive (allows RFC1918 too — only safe on a trusted private network). Default strict is correct for deployments where n8n is reachable at a public hostname. Workarounds For deployments that cannot upgrade immediately: Restrict network egress from the n8n-mcp host with a firewall, reverse proxy, or cloud security group. Explicitly deny cloud metadata IPs (169.254.169.254, 169.254.170.2, 100.100.100.200, 192.0.0.192, and the GCP metadata.google.internal resolved IP) and any RFC1918 networks the server does not legitimately need to reach. Run in stdio mode instead of HTTP if the multi-tenant surface is not needed (no shared AUTH_TOKEN to compromise). Disable workflow management tools via DISABLED_TOOLS=n8n_trigger_webhook_workflow,n8n_create_workflow,n8n_test_workflow if the deployment does not need them. Credit Reported by @fg0x0. Severity High 7.2/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity High Attack Requirements Present Privileges Required Low User interaction None Vulnerable System Impact Metrics Confidentiality High Integrity Low Availability Low Subsequent System Impact Metrics Confidentiality High Integrity Low Availability Low CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L CVE ID CVE-2026-44694 Weaknesses Weakness CWE-367 Weakness CWE-918 Credits @fg0x0 fg0x0 Reporter _____________________________________________________________________ Workflow telemetry sanitizer could retain partial values from URL-shaped node parameters Moderate czlonkowski published GHSA-f3rg-xqjj-cj9w May 11, 2026 Package n8n-mcp (npm) Affected versions < 2.51.3 Patched versions 2.51.3 Description Summary In affected versions of n8n-mcp, the workflow telemetry sanitizer could retain partial fragments of URL-shaped node parameters before sending workflow data to the project's anonymous telemetry backend. Values placed in HTTP-Request-style node parameters — such as customer or tenant identifiers, short secrets embedded in query strings, and signed request parameters — could therefore appear in stored telemetry, contrary to the collection boundary documented in PRIVACY.md. Impact Operators with access to the project's telemetry backend could read partial fragments of workflow URL parameters that should not have been collected. The bug was scoped to URL-shaped fields in workflow definitions; credentials, OAuth tokens, and workflow execution data are not affected — credentials are removed by a separate code path, and long secrets and known-provider tokens are matched by dedicated patterns. Patches Fixed in n8n-mcp 2.51.3. Upgrading is the recommended remediation. Workarounds For users who cannot upgrade immediately, disable anonymous telemetry by setting any of these environment variables to true: N8N_MCP_TELEMETRY_DISABLED TELEMETRY_DISABLED DISABLE_TELEMETRY Credit Reported by @u-ktdi. Severity Moderate 6.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction None Scope Unchanged Confidentiality High Integrity None Availability None CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE ID No known CVE Weaknesses Weakness CWE-201 Credits @u-ktdi u-ktdi Reporter ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================