GHSA-cmrh-wvq6-wm9r: n8n-mcp webhook and API client paths has an authenticated SSRF
Summary
An authenticated SSRF (server-side request forgery, where an attacker tricks a server into making unwanted requests to internal services) vulnerability affects n8n-mcp's webhook and API client features. An attacker with access to the system can make the n8n-mcp host send HTTP requests to internal services or cloud credential endpoints that should be blocked, allowing them to steal credentials or enumerate internal systems.
Solution / Mitigation
Fixed in n8n-mcp@2.50.2. If you cannot upgrade immediately, the source suggests three workarounds: (1) Restrict network egress from the n8n-mcp host using a firewall or cloud security group to deny cloud metadata IPs (169.254.169.254, 169.254.170.2, 100.100.100.200, 192.0.0.192, and GCP metadata.google.internal) and RFC1918 networks; (2) Run in stdio mode instead of HTTP if multi-tenant mode is not needed; (3) Disable workflow management tools via `DISABLED_TOOLS=n8n_trigger_webhook_workflow,n8n_create_workflow,n8n_test_workflow` if not needed. Additionally, if N8N_API_URL points to localhost or a private network address, set `WEBHOOK_SECURITY_MODE=moderate` (allows localhost, blocks private networks and cloud metadata) or `WEBHOOK_SECURITY_MODE=permissive` (allows private networks too, only safe on trusted networks).
Vulnerability Details
EPSS: 0.0%
Yes
May 8, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-cmrh-wvq6-wm9r
First tracked: May 8, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 92%