CVE-2026-44694: n8n SSRF — UNKNOWN

Q: Is CVE-2026-44694 actively exploited?

No confirmed active exploitation of CVE-2026-44694 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-44694?

1. PATCH: Upgrade n8n-mcp to version 2.50.2 immediately (patch commit bcaba839). 2. BLOCK: If patching is delayed, configure your reverse proxy or WAF to strip the x-n8n-url header from all incoming requests. 3. RESTRICT: Audit and lock down N8N_API_URL to an explicit allowlist of permitted endpoints; do not allow free-form URL input. 4. NETWORK: Enforce IMDSv2 on all EC2 instances and equivalent metadata service protections on GCP/Azure to prevent credential harvest via SSRF. 5. DETECT: Review MCP server outbound logs for requests to RFC-1918 address space (10.x, 172.16.x, 192.168.x), loopback (127.x), or cloud metadata IPs (169.254.169.254). 6. AUDIT: If running multi-tenant, review which users or AI agents have authenticated access to n8n-MCP and apply least-privilege principles.

Q: What systems are affected by CVE-2026-44694?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks using MCP servers, n8n automation pipelines, Multi-tenant agentic AI orchestration platforms, LLM-connected workflow automation systems, Agentic AI stacks with internal API access.

Q: What is the CVSS score for CVE-2026-44694?

No CVSS score has been assigned yet.

CISO Take

n8n-MCP, an MCP server that bridges AI assistants to n8n automation workflows, contains an authenticated server-side request forgery flaw in versions 2.18.7 through 2.50.1 affecting webhook trigger tools and per-request URLs supplied via the x-n8n-url header in multi-tenant HTTP mode. While the authentication requirement and absence of public exploits or CISA KEV listing temper immediate alarm, the architectural position of MCP servers in agentic AI stacks is particularly dangerous for SSRF — a compromised AI assistant session or a prompt injection attack can weaponize the MCP server as a proxy to reach cloud metadata services (AWS IMDSv1, GCP metadata), internal APIs, and private subnets that would otherwise be inaccessible. With 16 downstream dependents and 75 prior CVEs in the same package (OpenSSF score 6/10), this package warrants elevated scrutiny in any agentic AI supply chain. Upgrade to n8n-mcp 2.50.2 immediately; if patching is delayed, block the x-n8n-url header at the reverse proxy layer and audit N8N_API_URL to restrict it to allowlisted endpoints.

Sources: GitHub Advisory NVD OpenSSF ATLAS

What is the risk?

MEDIUM-HIGH for agentic AI deployments, MEDIUM overall. The authentication requirement prevents unauthenticated mass exploitation, but in AI agent architectures the 'authenticated user' may be an AI assistant operating with delegated credentials — meaning a successful prompt injection attack can chain directly into this SSRF without requiring separate credential compromise. Multi-tenant HTTP mode deployments face the highest risk, as the x-n8n-url header mechanism allows per-request SSRF without any additional state. No CVSS score is published, but the CWE-918 (SSRF) combined with CWE-367 (TOCTOU) pairing suggests potential race condition amplification. The package's history of 75 CVEs and below-average OpenSSF score signal systemic security debt.

How does the attack unfold?

Initial Access

Adversary obtains authenticated session to n8n-MCP via stolen credentials, legitimate multi-tenant account, or by chaining a prompt injection attack against an AI assistant with delegated MCP access.

AML.T0012

SSRF Exploitation

Adversary sends a webhook trigger tool call or HTTP request with x-n8n-url header set to an internal target (cloud metadata, internal API, private subnet host), causing the MCP server to issue the request on the adversary's behalf.

AML.T0049

Internal Reconnaissance

Adversary iterates SSRF requests to enumerate internal network topology, probe services, and identify high-value targets such as credential stores or internal APIs not exposed to the internet.

AML.T0053

Credential Harvest & Lateral Movement

Adversary directs SSRF to cloud metadata endpoints (e.g., 169.254.169.254) to harvest IAM credentials or service tokens, enabling lateral movement into cloud infrastructure or downstream systems beyond the MCP server's intended scope.

AML.T0086

Initial Access

Adversary obtains authenticated session to n8n-MCP via stolen credentials, legitimate multi-tenant account, or by chaining a prompt injection attack against an AI assistant with delegated MCP access.

AML.T0012

SSRF Exploitation

Adversary sends a webhook trigger tool call or HTTP request with x-n8n-url header set to an internal target (cloud metadata, internal API, private subnet host), causing the MCP server to issue the request on the adversary's behalf.

AML.T0049

Internal Reconnaissance

Adversary iterates SSRF requests to enumerate internal network topology, probe services, and identify high-value targets such as credential stores or internal APIs not exposed to the internet.

AML.T0053

Credential Harvest & Lateral Movement

Adversary directs SSRF to cloud metadata endpoints (e.g., 169.254.169.254) to harvest IAM credentials or service tokens, enabling lateral movement into cloud infrastructure or downstream systems beyond the MCP server's intended scope.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch
193.4K OpenSSF 6.6 Pushed 3d ago 55% patched ~7d to patch Full package profile →
n8n	npm	>= 2.18.7, < 2.50.2	`2.50.2`
193.4K OpenSSF 6.6 Pushed 3d ago 55% patched ~7d to patch Full package profile →

How severe is it?

CVSS 3.1

N/A

EPSS

0.2%

chance of exploitation in 30 days

Higher than 14% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

6 steps

PATCH

Upgrade n8n-mcp to version 2.50.2 immediately (patch commit bcaba839).
BLOCK

If patching is delayed, configure your reverse proxy or WAF to strip the x-n8n-url header from all incoming requests.
RESTRICT

Audit and lock down N8N_API_URL to an explicit allowlist of permitted endpoints; do not allow free-form URL input.
NETWORK

Enforce IMDSv2 on all EC2 instances and equivalent metadata service protections on GCP/Azure to prevent credential harvest via SSRF.
DETECT

Review MCP server outbound logs for requests to RFC-1918 address space (10.x, 172.16.x, 192.168.x), loopback (127.x), or cloud metadata IPs (169.254.169.254).
AUDIT

If running multi-tenant, review which users or AI agents have authenticated access to n8n-MCP and apply least-privilege principles.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Prompt Injection Auth Bypass Agent Plugin AML.T0049 - Exploit Public-Facing Application AML.T0051.001 - Indirect AML.T0053 - AI Agent Tool Invocation AML.T0083 - Credentials from AI Agent Configuration AML.T0086 - Exfiltration via AI Agent Tool Invocation

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.1 - Information security controls for AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain effectiveness of risk response

OWASP LLM Top 10

LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-44694?

n8n-MCP, an MCP server that bridges AI assistants to n8n automation workflows, contains an authenticated server-side request forgery flaw in versions 2.18.7 through 2.50.1 affecting webhook trigger tools and per-request URLs supplied via the x-n8n-url header in multi-tenant HTTP mode. While the authentication requirement and absence of public exploits or CISA KEV listing temper immediate alarm, the architectural position of MCP servers in agentic AI stacks is particularly dangerous for SSRF — a compromised AI assistant session or a prompt injection attack can weaponize the MCP server as a proxy to reach cloud metadata services (AWS IMDSv1, GCP metadata), internal APIs, and private subnets that would otherwise be inaccessible. With 16 downstream dependents and 75 prior CVEs in the same package (OpenSSF score 6/10), this package warrants elevated scrutiny in any agentic AI supply chain. Upgrade to n8n-mcp 2.50.2 immediately; if patching is delayed, block the x-n8n-url header at the reverse proxy layer and audit N8N_API_URL to restrict it to allowlisted endpoints.

Is CVE-2026-44694 actively exploited?

No confirmed active exploitation of CVE-2026-44694 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-44694?

1. PATCH: Upgrade n8n-mcp to version 2.50.2 immediately (patch commit bcaba839). 2. BLOCK: If patching is delayed, configure your reverse proxy or WAF to strip the x-n8n-url header from all incoming requests. 3. RESTRICT: Audit and lock down N8N_API_URL to an explicit allowlist of permitted endpoints; do not allow free-form URL input. 4. NETWORK: Enforce IMDSv2 on all EC2 instances and equivalent metadata service protections on GCP/Azure to prevent credential harvest via SSRF. 5. DETECT: Review MCP server outbound logs for requests to RFC-1918 address space (10.x, 172.16.x, 192.168.x), loopback (127.x), or cloud metadata IPs (169.254.169.254). 6. AUDIT: If running multi-tenant, review which users or AI agents have authenticated access to n8n-MCP and apply least-privilege principles.

What systems are affected by CVE-2026-44694?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks using MCP servers, n8n automation pipelines, Multi-tenant agentic AI orchestration platforms, LLM-connected workflow automation systems, Agentic AI stacks with internal API access.

What is the CVSS score for CVE-2026-44694?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

AI agent frameworks using MCP serversn8n automation pipelinesMulti-tenant agentic AI orchestration platformsLLM-connected workflow automation systemsAgentic AI stacks with internal API access

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0051.001 Indirect

AML.T0053 AI Agent Tool Invocation

AML.T0083 Credentials from AI Agent Configuration

AML.T0086 Exfiltration via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.1

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM07, LLM08

What are the technical details?

Original Advisory

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. From version 2.18.7 to before version 2.50.2, there is an authenticated server-side request forgery vulnerability affecting the webhook trigger tools, the n8n API client (N8N_API_URL), and per-request URLs supplied via the x-n8n-url header in multi-tenant HTTP mode. This issue has been patched in version 2.50.2.

Exploitation Scenario

An attacker with a valid session token to an n8n-MCP deployment (obtained via stolen credentials, session hijacking, or by being a legitimate multi-tenant user) sends a webhook trigger tool invocation with the x-n8n-url header set to http://169.254.169.254/latest/meta-data/iam/security-credentials/. The MCP server faithfully fetches this URL and returns the cloud instance's IAM role credentials in the response. Alternatively, in an agentic AI context: an adversary plants a malicious document in the AI assistant's retrieval context containing a prompt injection payload that instructs the assistant to call n8n webhook tools with attacker-controlled internal URLs — chaining LLM prompt injection with SSRF to achieve lateral movement without direct network access.

Weaknesses (CWE)

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition Primary CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition Primary CWE-918 Server-Side Request Forgery (SSRF) Primary CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition: The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

[Implementation] The most basic advice for TOCTOU vulnerabilities is to not perform a check before the use. This does not resolve the underlying issue of the execution of a function on a resource whose state and identity cannot be assured, but it does help to limit the false sense of security given by the check.
[Implementation] When the file being altered is owned by the current user and group, set the effective gid and uid to that of the current user and group when executing this statement.

Source: MITRE CWE corpus.