CVE-2026-42449 - Vulnerability Analysis
HighCVSS: 8.5Last Updated: May 8, 2026
n8n-MCP - Server Side Request Forgery
Published: May 7, 2026Updated: May 8, 2026Remote Exploitable
Overview
n8n-MCP 2.47.4 through 2.47.13 contains a server-side request forgery caused by missing IPv6 checks in synchronous URL validation, letting attackers supply n8nApiUrl to access internal cloud metadata and private network endpoints, exploit requires attacker to supply n8nApiUrl value.
Severity & Score
Severity: High
CVSS Score: 8.5
Impact
Attackers can make the server send requests to internal services and retrieve sensitive data including API keys.
Mitigation
Upgrade to version 2.47.14 or later; alternatively validate URLs before passing to SDK and restrict network egress.
References
Related Resources
Details
- CVE ID
- CVE-2026-42449
- Severity
- High
- CVSS Score
- 8.5
- Type
- server_side_request_forgery
- Status
- unconfirmed
CWE
- CWE-918
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N