CVE-2026-39974 — HIGH (CVSS 8.5) AI Security Vulnerability

CISO Take

CVE-2026-39974 is an authenticated Server-Side Request Forgery in n8n-MCP, a widely-used MCP server that bridges AI assistants with n8n automation workflows — any caller holding a valid AUTH_TOKEN can supply arbitrary URLs through multi-tenant HTTP headers and read back the full server response via JSON-RPC. The critical concern is blast radius: the SSRF directly reaches cloud instance metadata endpoints (AWS IMDS at 169.254.169.254, GCP, Azure, Alibaba, Oracle), meaning a shared or compromised token translates immediately into cloud IAM credential theft and lateral movement across your entire cloud environment. At CVSS 8.5 with Scope:Changed and no public exploit or CISA KEV listing as of publication, the exploitation window is currently narrow — but the technique is trivial once an attacker has any valid AUTH_TOKEN in a multi-tenant deployment. Patch to n8n-MCP v2.47.4 immediately; as an interim control, block egress from the MCP server host to link-local IMDS ranges (169.254.0.0/16) at the network layer and audit all AUTH_TOKEN holders.

Sources: NVD GitHub Advisory ATLAS

Risk Assessment

High risk for multi-tenant n8n-MCP HTTP deployments. CVSS 8.5 reflects low attack complexity, low privilege requirement (valid AUTH_TOKEN only), no user interaction, and Scope:Changed — indicating impact propagates beyond the MCP server into cloud infrastructure. The primary threat vector is IAM credential exfiltration via cloud IMDS, which can enable full cloud account compromise. Single-tenant stdio deployments and HTTP deployments without multi-tenant headers are explicitly not affected. Risk is amplified in AI agent pipelines where MCP tokens may be shared across operators, embedded in automation scripts, or issued to less-trusted AI assistant integrations without granular access controls.

Severity & Risk

CVSS 3.1

8.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI None

S Changed

C High

I Low

A None

Recommended Action

Patch immediately: upgrade n8n-MCP to v2.47.4 (commit d9d847f).
Network-level workaround: block egress from the MCP server host to link-local ranges (169.254.0.0/16) and internal RFC-1918 ranges not operationally required.
Token hygiene: audit all AUTH_TOKEN holders — revoke and rotate tokens shared with less-trusted clients or embedded in shared automation scripts.
Deployment review: convert multi-tenant HTTP deployments to single-tenant stdio where feasible; enforce strict per-operator token isolation if multi-tenancy is required.
Detection: monitor MCP server egress logs for requests to 169.254.169.254, 169.254.170.2, or other metadata endpoints; alert on JSON-RPC responses containing cloud credential patterns (e.g., 'AccessKeyId', 'token', 'serviceAccountToken', 'computeMetadata').

Classification

Data Extraction Data Leakage Agent Plugin AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0075 - Cloud Service Discovery AML.T0083 - Credentials from AI Agent Configuration AML.T0086 - Exfiltration via AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.9.3 - AI system security

NIST AI RMF

MANAGE 2.2 - Risk Response — Mechanisms for AI system boundary enforcement

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-39974?

CVE-2026-39974 is an authenticated Server-Side Request Forgery in n8n-MCP, a widely-used MCP server that bridges AI assistants with n8n automation workflows — any caller holding a valid AUTH_TOKEN can supply arbitrary URLs through multi-tenant HTTP headers and read back the full server response via JSON-RPC. The critical concern is blast radius: the SSRF directly reaches cloud instance metadata endpoints (AWS IMDS at 169.254.169.254, GCP, Azure, Alibaba, Oracle), meaning a shared or compromised token translates immediately into cloud IAM credential theft and lateral movement across your entire cloud environment. At CVSS 8.5 with Scope:Changed and no public exploit or CISA KEV listing as of publication, the exploitation window is currently narrow — but the technique is trivial once an attacker has any valid AUTH_TOKEN in a multi-tenant deployment. Patch to n8n-MCP v2.47.4 immediately; as an interim control, block egress from the MCP server host to link-local IMDS ranges (169.254.0.0/16) at the network layer and audit all AUTH_TOKEN holders.

Is CVE-2026-39974 actively exploited?

No confirmed active exploitation of CVE-2026-39974 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-39974?

1. Patch immediately: upgrade n8n-MCP to v2.47.4 (commit d9d847f). 2. Network-level workaround: block egress from the MCP server host to link-local ranges (169.254.0.0/16) and internal RFC-1918 ranges not operationally required. 3. Token hygiene: audit all AUTH_TOKEN holders — revoke and rotate tokens shared with less-trusted clients or embedded in shared automation scripts. 4. Deployment review: convert multi-tenant HTTP deployments to single-tenant stdio where feasible; enforce strict per-operator token isolation if multi-tenancy is required. 5. Detection: monitor MCP server egress logs for requests to 169.254.169.254, 169.254.170.2, or other metadata endpoints; alert on JSON-RPC responses containing cloud credential patterns (e.g., 'AccessKeyId', 'token', 'serviceAccountToken', 'computeMetadata').

What systems are affected by CVE-2026-39974?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, MCP server deployments, cloud-connected AI pipelines, multi-tenant AI automation platforms.

What is the CVSS score for CVE-2026-39974?

CVE-2026-39974 has a CVSS v3.1 base score of 8.5 (HIGH).

Technical Details

NVD Description

n8n-MCP is a Model Context Protocol (MCP) server that provides AI assistants with comprehensive access to n8n node documentation, properties, and operations. Prior to 2.47.4, an authenticated Server-Side Request Forgery in n8n-mcp allows a caller holding a valid AUTH_TOKEN to cause the server to issue HTTP requests to arbitrary URLs supplied through multi-tenant HTTP headers. Response bodies are reflected back through JSON-RPC, so an attacker can read the contents of any URL the server can reach — including cloud instance metadata endpoints (AWS IMDS, GCP, Azure, Alibaba, Oracle), internal network services, and any other host the server process has network access to. The primary at-risk deployments are multi-tenant HTTP installations where more than one operator can present a valid AUTH_TOKEN, or where a token is shared with less-trusted clients. Single-tenant stdio deployments and HTTP deployments without multi-tenant headers are not affected. This vulnerability is fixed in 2.47.4.

Exploitation Scenario

An adversary operating in a shared n8n-MCP multi-tenant environment obtains a valid AUTH_TOKEN — either legitimately as a lower-trust tenant, through credential theft from a shared CI/CD pipeline, or by compromising an AI assistant integration that holds the token. They craft a JSON-RPC request to the MCP server's HTTP endpoint with a multi-tenant header specifying the URL http://169.254.169.254/latest/meta-data/iam/security-credentials/. The server fetches the AWS IMDS endpoint and returns the full response — including the IAM role name — in the JSON-RPC reply. A follow-up request to the role-specific endpoint retrieves temporary AWS access keys, secret keys, and session tokens. The adversary authenticates directly to AWS using these credentials, enumerates S3 buckets containing training data or model artifacts, accesses Secrets Manager for downstream API keys, and escalates privileges across the cloud environment — all originating from the legitimate MCP server IP, which may not trigger cloud security baseline alerts.