GHSA-56c3-vfp2-5qqj: n8n-mcp's IPv4-mapped IPv6 addresses bypass SSRF protection in validateUrlSync(), enabling full SSRF for SDK embedders
Summary
A security flaw in n8n-mcp's URL validation allowed attackers to bypass SSRF (server-side request forgery, where an attacker tricks a server into making unwanted requests) protections using IPv4-mapped IPv6 addresses like `http://[::ffff:169.254.169.254]`. This could let an attacker who controls the `n8nApiUrl` input force the server to request sensitive data from cloud metadata endpoints, private networks, or localhost services, and the responses would be returned to the attacker along with API credentials.
Solution / Mitigation
Upgrade to **v2.47.14 or later** (via `npx n8n-mcp@latest` for npm or `docker pull ghcr.io/czlonkowski/n8n-mcp:latest` for Docker). If immediate upgrade is not possible, the source mentions three workarounds: (1) validate URLs before passing them to the SDK by rejecting IP literal hostnames and accepting only DNS-resolvable hostnames; (2) restrict outbound network traffic from the n8n-mcp process to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local addresses (169.254.0.0/16), and cloud metadata endpoints; and (3) do not accept user-controlled `n8nApiUrl` values and derive the URL from internal configuration only.
Vulnerability Details
EPSS: 0.0%
Yes
April 30, 2026
Classification
Taxonomy References
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-56c3-vfp2-5qqj
First tracked: April 30, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 85%