AI Threat Alert

CVE-2026-39974: n8n-MCP: SSRF exposes cloud metadata via MCP headers

HIGH
Published April 9, 2026
CISO Take

CVE-2026-39974 is an authenticated Server-Side Request Forgery in n8n-MCP, a widely-used MCP server that bridges AI assistants with n8n automation workflows — any caller holding a valid AUTH_TOKEN can supply arbitrary URLs through multi-tenant HTTP headers and read back the full server response via JSON-RPC. The critical concern is blast radius: the SSRF directly reaches cloud instance metadata endpoints (AWS IMDS at 169.254.169.254, GCP, Azure, Alibaba, Oracle), meaning a shared or compromised token translates immediately into cloud IAM credential theft and lateral movement across your entire cloud environment. At CVSS 8.5 with Scope:Changed and no public exploit or CISA KEV listing as of publication, the exploitation window is currently narrow — but the technique is trivial once an attacker has any valid AUTH_TOKEN in a multi-tenant deployment. Patch to n8n-MCP v2.47.4 immediately; as an interim control, block egress from the MCP server host to link-local IMDS ranges (169.254.0.0/16) at the network layer and audit all AUTH_TOKEN holders.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High risk for multi-tenant n8n-MCP HTTP deployments. CVSS 8.5 reflects low attack complexity, low privilege requirement (valid AUTH_TOKEN only), no user interaction, and Scope:Changed — indicating impact propagates beyond the MCP server into cloud infrastructure. The primary threat vector is IAM credential exfiltration via cloud IMDS, which can enable full cloud account compromise. Single-tenant stdio deployments and HTTP deployments without multi-tenant headers are explicitly not affected. Risk is amplified in AI agent pipelines where MCP tokens may be shared across operators, embedded in automation scripts, or issued to less-trusted AI assistant integrations without granular access controls.

How severe is it?

CVSS 3.1
8.5 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 23% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Changed
C High
I Low
A None

What should I do?

5 steps

  1. Patch immediately: upgrade n8n-MCP to v2.47.4 (commit d9d847f).

  2. Network-level workaround: block egress from the MCP server host to link-local ranges (169.254.0.0/16) and internal RFC-1918 ranges not operationally required.

  3. Token hygiene: audit all AUTH_TOKEN holders — revoke and rotate tokens shared with less-trusted clients or embedded in shared automation scripts.

  4. Deployment review: convert multi-tenant HTTP deployments to single-tenant stdio where feasible; enforce strict per-operator token isolation if multi-tenancy is required.

  5. Detection: monitor MCP server egress logs for requests to 169.254.169.254, 169.254.170.2, or other metadata endpoints; alert on JSON-RPC responses containing cloud credential patterns (e.g., 'AccessKeyId', 'token', 'serviceAccountToken', 'computeMetadata').

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Data Leakage Agent Plugin AML.T0049 AML.T0053 AML.T0075 AML.T0083 AML.T0086

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk Management System
ISO 42001
A.9.3 - AI system security
NIST AI RMF
MANAGE 2.2 - Risk Response — Mechanisms for AI system boundary enforcement
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-39974?

CVE-2026-39974 is an authenticated Server-Side Request Forgery in n8n-MCP, a widely-used MCP server that bridges AI assistants with n8n automation workflows — any caller holding a valid AUTH_TOKEN can supply arbitrary URLs through multi-tenant HTTP headers and read back the full server response via JSON-RPC. The critical concern is blast radius: the SSRF directly reaches cloud instance metadata endpoints (AWS IMDS at 169.254.169.254, GCP, Azure, Alibaba, Oracle), meaning a shared or compromised token translates immediately into cloud IAM credential theft and lateral movement across your entire cloud environment. At CVSS 8.5 with Scope:Changed and no public exploit or CISA KEV listing as of publication, the exploitation window is currently narrow — but the technique is trivial once an attacker has any valid AUTH_TOKEN in a multi-tenant deployment. Patch to n8n-MCP v2.47.4 immediately; as an interim control, block egress from the MCP server host to link-local IMDS ranges (169.254.0.0/16) at the network layer and audit all AUTH_TOKEN holders.

Is CVE-2026-39974 actively exploited?

No confirmed active exploitation of CVE-2026-39974 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-39974?

1. Patch immediately: upgrade n8n-MCP to v2.47.4 (commit d9d847f). 2. Network-level workaround: block egress from the MCP server host to link-local ranges (169.254.0.0/16) and internal RFC-1918 ranges not operationally required. 3. Token hygiene: audit all AUTH_TOKEN holders — revoke and rotate tokens shared with less-trusted clients or embedded in shared automation scripts. 4. Deployment review: convert multi-tenant HTTP deployments to single-tenant stdio where feasible; enforce strict per-operator token isolation if multi-tenancy is required. 5. Detection: monitor MCP server egress logs for requests to 169.254.169.254, 169.254.170.2, or other metadata endpoints; alert on JSON-RPC responses containing cloud credential patterns (e.g., 'AccessKeyId', 'token', 'serviceAccountToken', 'computeMetadata').

What systems are affected by CVE-2026-39974?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, MCP server deployments, cloud-connected AI pipelines, multi-tenant AI automation platforms.

What is the CVSS score for CVE-2026-39974?

CVE-2026-39974 has a CVSS v3.1 base score of 8.5 (HIGH). The EPSS exploitation probability is 0.32%.

What is the AI security impact?

Affected AI Architectures

agent frameworksMCP server deploymentscloud-connected AI pipelinesmulti-tenant AI automation platforms

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0075 Cloud Service Discovery
AML.T0083 Credentials from AI Agent Configuration
AML.T0086 Exfiltration via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.9.3
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

n8n-MCP is a Model Context Protocol (MCP) server that provides AI assistants with comprehensive access to n8n node documentation, properties, and operations. Prior to 2.47.4, an authenticated Server-Side Request Forgery in n8n-mcp allows a caller holding a valid AUTH_TOKEN to cause the server to issue HTTP requests to arbitrary URLs supplied through multi-tenant HTTP headers. Response bodies are reflected back through JSON-RPC, so an attacker can read the contents of any URL the server can reach — including cloud instance metadata endpoints (AWS IMDS, GCP, Azure, Alibaba, Oracle), internal network services, and any other host the server process has network access to. The primary at-risk deployments are multi-tenant HTTP installations where more than one operator can present a valid AUTH_TOKEN, or where a token is shared with less-trusted clients. Single-tenant stdio deployments and HTTP deployments without multi-tenant headers are not affected. This vulnerability is fixed in 2.47.4.

Exploitation Scenario

An adversary operating in a shared n8n-MCP multi-tenant environment obtains a valid AUTH_TOKEN — either legitimately as a lower-trust tenant, through credential theft from a shared CI/CD pipeline, or by compromising an AI assistant integration that holds the token. They craft a JSON-RPC request to the MCP server's HTTP endpoint with a multi-tenant header specifying the URL http://169.254.169.254/latest/meta-data/iam/security-credentials/. The server fetches the AWS IMDS endpoint and returns the full response — including the IAM role name — in the JSON-RPC reply. A follow-up request to the role-specific endpoint retrieves temporary AWS access keys, secret keys, and session tokens. The adversary authenticates directly to AWS using these credentials, enumerates S3 buckets containing training data or model artifacts, accesses Secrets Manager for downstream API keys, and escalates privileges across the cloud environment — all originating from the legitimate MCP server IP, which may not trigger cloud security baseline alerts.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

References

Timeline

Published
April 9, 2026
Last Modified
April 20, 2026
First Seen
April 9, 2026

Related Vulnerabilities

CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Data Leakage
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Leakage
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Data Extraction
Back to Threat Feed