Home / Vulnerability Intelligence / CVE-2026-39974

CVE-2026-39974 - Vulnerability Analysis

HighCVSS: 8.5

Last Updated: April 9, 2026

n8n-MCP - Server-Side Request Forgery

Published: April 9, 2026Updated: April 9, 2026Remote Exploitable

Overview

n8n-MCP < 2.47.4 contains an authenticated server-side request forgery caused by multi-tenant HTTP headers allowing arbitrary URL requests, letting authenticated attackers read internal or cloud metadata endpoints, exploit requires valid AUTH_TOKEN and multi-tenant HTTP headers.

Severity & Score

Severity: High

CVSS Score: 8.5

Impact

Authenticated attackers can read sensitive internal or cloud metadata endpoints, potentially exposing confidential data and internal services.

Mitigation

Update to version 2.47.4 or later.

References

https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-4ggg-h7ph-26qr
https://github.com/czlonkowski/n8n-mcp/commit/d9d847f230923d96e0857ccecf3a4dedcc9b0096
https://github.com/czlonkowski/n8n-mcp/releases/tag/v2.47.4

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-39974
Severity: High
CVSS Score: 8.5
Type: server_side_request_forgery
Status: new

CWE

CWE-918

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N