CVE-2026-42449: n8n-MCP SSRF Bypasses IPv6 Checks

/HIGH /CVSS 8.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityserver-side-request-forgerycwe-918
CVE-2026-42449: n8n-MCP SSRF Bypasses IPv6 Checks

A critical Server-Side Request Forgery (SSRF) vulnerability, CVE-2026-42449, has been identified in n8n-MCP versions 2.47.4 through 2.47.13. This flaw allows attackers to bypass existing IPv4-based SSRF protection mechanisms by using IPv4-mapped IPv6 addresses, such as http://[::ffff:169.254.169.254]. This circumvents checks designed to block access to cloud metadata endpoints, RFC1918 private networks, and localhost services.

According to the National Vulnerability Database, an attacker capable of supplying an n8nApiUrl value can coerce the server into issuing HTTP requests to internal resources. Crucially, this is a non-blind SSRF, meaning response bodies are returned directly to the attacker. Furthermore, the x-n8n-api-key header, containing the n8nApiKey, is forwarded to the attacker-controlled target, risking API key compromise.

The vulnerability affects projects embedding n8n-mcp as an SDK using N8NDocumentationMCPServer or N8NMCPEngine with user-supplied InstanceContext. The issue is resolved in version 2.47.14. For those unable to upgrade immediately, the National Vulnerability Database recommends validating URLs before passing them to the SDK, restricting egress at the network layer, and rejecting user-controlled n8nApiUrl values.

What This Means For You

  • If your organization uses n8n-MCP in an embedded SDK configuration, you are exposed. This isn't just a theoretical bypass; it's a direct route to sensitive internal resources and API keys. Patch to version 2.47.14 immediately. If you can't, implement strict URL validation and egress filtering now. Assume an attacker will leverage this for lateral movement and credential theft.

Related ATT&CK Techniques

T1071.001 Web Protocols Command and Control T1571 Non-Standard Port Command and Control T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

4 rules · 6 SIEM formats

4 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-42449: n8n-MCP SSRF via IPv6 Mapped Address to Cloud Metadata

Sigma YAML — free preview 
title: CVE-2026-42449: n8n-MCP SSRF via IPv6 Mapped Address to Cloud Metadata
id: scw-2026-05-07-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-42449 by sending requests to the n8n-MCP server where the n8nApiUrl parameter is set to an IPv4-mapped IPv6 address targeting cloud metadata endpoints (e.g., http://[::ffff:169.254.169.254]). This bypasses SSRF protections and allows attackers to access sensitive cloud instance information.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42449/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '[::ffff:169.254.169.254]'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42449 SSRF n8n-MCP versions 2.47.4 through 2.47.13
CVE-2026-42449 SSRF Vulnerable component: N8NDocumentationMCPServer constructor, getN8nApiClient(), validateInstanceContext(), SSRFProtection.validateUrlSync()
CVE-2026-42449 SSRF Attack vector: IPv4-mapped IPv6 addresses (e.g., http://[::ffff:169.254.169.254]) bypassing URL validation
CVE-2026-42449 Information Disclosure Exposure of n8nApiKey via x-n8n-api-key header to attacker-controlled target
CVE-2026-42449 SSRF Affected deployments embedding n8n-mcp as an SDK using N8NDocumentationMCPServer or N8NMCPEngine with user-supplied InstanceContext

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 08, 2026 at 00:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8112 — 8421bit MiniClaw Command Injection

CVE-2026-8112 — A vulnerability was found in 8421bit MiniClaw up to 223c16a1088e138838dcbd18cd65a37c35ac5a84. Affected is the function executeCognitivePulse of the file src/kernel.ts. Performing a manipulation results...

vulnerabilityCVEmedium-severitycommand-injectioncwe-77cwe-78
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 3 Sigma

Azure DevOps Critical Info Disclosure: CVE-2026-42826

CVE-2026-42826 — Exposure of sensitive information to an unauthorized actor in Azure DevOps allows an unauthorized attacker to disclose information over a network.

vulnerabilityCVEcriticalhigh-severitycwe-200
/SCW Vulnerability Desk /CRITICAL /10 /⚑ 1 IOC /⚙ 2 Sigma

CVE-2026-41105: Azure Notification Service SSRF Allows Privilege Escalation

CVE-2026-41105 — Server-side request forgery (ssrf) in Azure Notification Service allows an authorized attacker to elevate privileges over a network.

vulnerabilityCVEhigh-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 2 IOCs /⚙ 3 Sigma