GHSA-4ggg-h7ph-26qr: n8n-mcp has authenticated SSRF via instance-URL header in multi-tenant HTTP mode
Summary
n8n-mcp versions 2.47.3 and earlier have an authenticated SSRF vulnerability (server-side request forgery, where an attacker tricks a server into making requests to unintended locations) in multi-tenant HTTP mode. An attacker with a valid authentication token can make the server fetch arbitrary URLs and read the responses, potentially exposing cloud credentials (like AWS IMDS), internal network services, and other sensitive data the server can access.
Solution / Mitigation
Upgrade to n8n-mcp 2.47.4 or later (no configuration changes required). If you cannot upgrade immediately, the source explicitly mentions three workarounds: (1) use egress filtering to block outbound traffic from the n8n-mcp container to private IP ranges (RFC1918: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and link-local 169.254.0.0/16; (2) disable multi-tenant headers by unsetting ENABLE_MULTI_TENANT and not accepting x-n8n-url / x-n8n-key headers at the reverse proxy if per-request instance switching is not needed; (3) restrict AUTH_TOKEN distribution to fully trusted operators only until you can upgrade.
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-4ggg-h7ph-26qr
First tracked: April 8, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 85%