GHSA-8g7g-hmwm-6rv2: n8n path traversal + SSRF

CISO Take

n8n-mcp before 2.50.1 contains three compounding vulnerabilities that together allow an authenticated MCP caller to exfiltrate the configured n8n API key, perform non-blind SSRF to internal network resources, and silently harvest credentials via unredacted telemetry uploads. The authentication prerequisite is a weak barrier in MCP deployments, where agent clients are often broadly trusted and share session context — meaning a compromised AI agent or malicious MCP client can chain all three issues without additional privilege escalation. With 75 prior CVEs in this package, a risk score of 69/100, and n8n API keys typically carrying admin-level access to your entire automation workflow estate, the blast radius extends to every integration secret embedded in n8n workflows. Upgrade to n8n-mcp >= 2.50.1 immediately; if patching is not yet possible, restrict MCP HTTP transport to trusted callers via firewall or reverse-proxy ACL and immediately set N8N_MCP_TELEMETRY_DISABLED=true to halt credential exfiltration via telemetry.

Sources: GitHub Advisory ATLAS OpenSSF

What is the risk?

HIGH. The CVSS 8.3 score reflects network-reachable exploitation with low-privilege requirements and high confidentiality/integrity impact. The path traversal (CWE-22) is especially dangerous because it explicitly bypasses the DISABLED_TOOLS access control mechanism — meaning security configurations operators believe are enforced are silently circumvented. The SSRF (CWE-918) via redirect-following enables internal network reconnaissance and data exfiltration from services that otherwise would be unreachable. The telemetry credential leakage (CWE-200) is particularly insidious: it requires zero attacker interaction once an instance is running with default settings and can silently drain secrets from all n8n workflow nodes over time. No public exploit or Nuclei template exists yet, and CISA has not added this to KEV, but the straightforward exploitation mechanics and high-value target profile (automation workflows often hold OAuth tokens, API keys, and webhook secrets for dozens of SaaS integrations) elevate operational risk above the baseline CVSS score suggests.

How does the attack unfold?

Authenticated Access

Adversary obtains valid MCP caller credentials — via compromised CI/CD pipeline, phished developer, or insider — and connects to the n8n-mcp HTTP transport endpoint.

AML.T0012

Path Traversal Exploitation

Adversary crafts a malicious workflow ID containing path traversal sequences (e.g., `../../admin/credentials`) that causes the n8n API client to forward the request — including the configured n8n API key — to unintended administrative endpoints, bypassing DISABLED_TOOLS restrictions.

AML.T0049

SSRF to Internal Network

Adversary submits a webhook URL that passes initial validation but issues a redirect to an internal host (e.g., cloud metadata service or internal API), receiving the full response body through the MCP call.

AML.T0053

Credential Exfiltration via Telemetry

Adversary triggers mutation operations on workflows containing embedded secrets; default telemetry uploads unredacted operation diffs — including bearer tokens, API keys, and webhook secrets — to the external telemetry endpoint.

AML.T0083

Authenticated Access

Adversary obtains valid MCP caller credentials — via compromised CI/CD pipeline, phished developer, or insider — and connects to the n8n-mcp HTTP transport endpoint.

AML.T0012

Path Traversal Exploitation

Adversary crafts a malicious workflow ID containing path traversal sequences (e.g., `../../admin/credentials`) that causes the n8n API client to forward the request — including the configured n8n API key — to unintended administrative endpoints, bypassing DISABLED_TOOLS restrictions.

AML.T0049

SSRF to Internal Network

Adversary submits a webhook URL that passes initial validation but issues a redirect to an internal host (e.g., cloud metadata service or internal API), receiving the full response body through the MCP call.

AML.T0053

Credential Exfiltration via Telemetry

Adversary triggers mutation operations on workflows containing embedded secrets; default telemetry uploads unredacted operation diffs — including bearer tokens, API keys, and webhook secrets — to the external telemetry endpoint.

AML.T0083

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 2.50.1	`2.50.1`
193.4K OpenSSF 6.6 Pushed 2d ago 55% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1

8.3 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A Low

What should I do?

6 steps

PATCH

Upgrade n8n-mcp to >= 2.50.1 — this is the only complete fix for all three issues.
TELEMETRY (immediate): Set N8N_MCP_TELEMETRY_DISABLED=true in the server environment or run npx n8n-mcp telemetry disable before the next restart to stop credential exfiltration via telemetry.
NETWORK ISOLATION

Restrict MCP HTTP transport to trusted callers via firewall rules, reverse-proxy ACL, or VPN; or switch to stdio transport mode which eliminates the HTTP attack surface for issues 1 and 2.
ROTATE CREDENTIALS

Audit and rotate the n8n API key configured in n8n-mcp and any integration secrets stored in n8n workflow node parameters that may have been exposed via telemetry.
AUDIT WORKFLOWS

Review all n8n workflows for embedded secrets in node parameters and migrate them to n8n's credential manager or environment variables.
DETECTION

Review outbound HTTP logs from the n8n-mcp process for unusual URL patterns indicating path traversal attempts (e.g., .. sequences or requests to non-workflow API paths); alert on redirect-following behavior to non-whitelisted external hosts.

How is it classified?

Auth Bypass Data Extraction Data Leakage Agent Plugin AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0086 - Exfiltration via AI Agent Tool Invocation AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.3 - Information security in AI system supply chain A.9.4.1 - Access control for AI systems

NIST AI RMF

GOVERN 6.1 - Policies and practices for AI risk management MANAGE 2.2 - Mechanisms to sustain and monitor AI system

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure LLM06 - Excessive Agency

Frequently Asked Questions

What is GHSA-8g7g-hmwm-6rv2?

n8n-mcp before 2.50.1 contains three compounding vulnerabilities that together allow an authenticated MCP caller to exfiltrate the configured n8n API key, perform non-blind SSRF to internal network resources, and silently harvest credentials via unredacted telemetry uploads. The authentication prerequisite is a weak barrier in MCP deployments, where agent clients are often broadly trusted and share session context — meaning a compromised AI agent or malicious MCP client can chain all three issues without additional privilege escalation. With 75 prior CVEs in this package, a risk score of 69/100, and n8n API keys typically carrying admin-level access to your entire automation workflow estate, the blast radius extends to every integration secret embedded in n8n workflows. Upgrade to n8n-mcp >= 2.50.1 immediately; if patching is not yet possible, restrict MCP HTTP transport to trusted callers via firewall or reverse-proxy ACL and immediately set N8N_MCP_TELEMETRY_DISABLED=true to halt credential exfiltration via telemetry.

Is GHSA-8g7g-hmwm-6rv2 actively exploited?

No confirmed active exploitation of GHSA-8g7g-hmwm-6rv2 has been reported, but organizations should still patch proactively.

How to fix GHSA-8g7g-hmwm-6rv2?

1. PATCH: Upgrade n8n-mcp to >= 2.50.1 — this is the only complete fix for all three issues. 2. TELEMETRY (immediate): Set N8N_MCP_TELEMETRY_DISABLED=true in the server environment or run `npx n8n-mcp telemetry disable` before the next restart to stop credential exfiltration via telemetry. 3. NETWORK ISOLATION: Restrict MCP HTTP transport to trusted callers via firewall rules, reverse-proxy ACL, or VPN; or switch to stdio transport mode which eliminates the HTTP attack surface for issues 1 and 2. 4. ROTATE CREDENTIALS: Audit and rotate the n8n API key configured in n8n-mcp and any integration secrets stored in n8n workflow node parameters that may have been exposed via telemetry. 5. AUDIT WORKFLOWS: Review all n8n workflows for embedded secrets in node parameters and migrate them to n8n's credential manager or environment variables. 6. DETECTION: Review outbound HTTP logs from the n8n-mcp process for unusual URL patterns indicating path traversal attempts (e.g., `..` sequences or requests to non-workflow API paths); alert on redirect-following behavior to non-whitelisted external hosts.

What systems are affected by GHSA-8g7g-hmwm-6rv2?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI orchestration pipelines, MCP-connected agents, workflow automation backends, multi-agent tool execution environments.

What is the CVSS score for GHSA-8g7g-hmwm-6rv2?

GHSA-8g7g-hmwm-6rv2 has a CVSS v3.1 base score of 8.3 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksAI orchestration pipelinesMCP-connected agentsworkflow automation backendsmulti-agent tool execution environments

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0055 Unsecured Credentials

AML.T0083 Credentials from AI Agent Configuration

AML.T0086 Exfiltration via AI Agent Tool Invocation

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.3, A.9.4.1

NIST AI RMF: GOVERN 6.1, MANAGE 2.2

OWASP LLM Top 10: LLM02, LLM06

What are the technical details?

Original Advisory

## Impact `n8n-mcp` versions before 2.50.1 contained three independently-reported issues affecting deployments that run the n8n API integration: 1. **Caller-supplied identifiers were not validated before being used as URL path segments** by the n8n API client. An authenticated MCP caller passing a crafted workflow id could cause outbound requests carrying the configured n8n API key to land on other same-origin endpoints, bypassing handler-level access controls (including `DISABLED_TOOLS`). 2. **Validated webhook, form, and chat trigger URLs followed redirects.** A URL that passed initial validation could redirect the outbound request to a host that would otherwise have been rejected, with the response body returned to the caller. Reachable as non-blind SSRF over authenticated MCP calls. 3. **Mutation telemetry stored unredacted operation payloads.** On instances running with the default opt-in telemetry, partial-update operation diffs were uploaded without redaction. Operation values can carry the same node-parameter values the workflow contains, including bearer tokens, API keys, and webhook secrets. ## Severity CVSS 8.3 (HIGH). Exploitation requires an authenticated MCP caller and an n8n API integration configured with an n8n API key. ## Patched versions Upgrade to `n8n-mcp >= 2.50.1`. ## Workarounds - For issues (1) and (2): restrict network access to the HTTP transport (firewall, reverse-proxy ACL, or VPN) so only trusted callers can reach the MCP HTTP port; or switch to stdio mode, which exposes no HTTP surface for these issues. - For issue (3): set `N8N_MCP_TELEMETRY_DISABLED=true` in the environment before starting the server, or run `npx n8n-mcp telemetry disable` once. ## Credit Reported by @cybercraftsolutionsllc.

Exploitation Scenario

An adversary with a valid MCP client credential (e.g., gained via phishing an AI agent developer or compromising a CI/CD pipeline that uses n8n-mcp) connects to the MCP HTTP endpoint. They craft a workflow ID parameter such as `../../admin/api-keys` and invoke the n8n API client, causing the outbound request carrying the configured n8n API key to land on the administrative API endpoint, bypassing any DISABLED_TOOLS restrictions. They then submit a webhook URL pointing to a seemingly-valid external host that issues a 302 redirect to `http://169.254.169.254/latest/meta-data/iam/security-credentials/` (AWS IMDS), receiving cloud IAM credentials in the response body. Finally, they trigger a partial workflow update operation — knowing that if the instance runs with default telemetry settings, the operation diff (containing all node parameter values including every API key, bearer token, and webhook secret embedded in that workflow) is uploaded unredacted to the telemetry endpoint, which the attacker can then harvest. Total time to full credential exfiltration: under five minutes with a single authenticated MCP session.

Weaknesses (CWE)

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Primary CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

[Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.