CVE Catalog

CVE-2026-44694

Critical
Published: Translated: NVD NIST

Summary

n8n-MCP, an MCP server, has an authenticated server-side request forgery vulnerability affecting webhook trigger tools and the n8n API client. This issue exists in versions from 2.18.7 to before 2.50.2 and has been patched in version 2.50.2.

Risk Assessment

This vulnerability may allow attackers to manipulate requests to the server, potentially leading to unauthorized access to application data or functions. Organizations using n8n-MCP in affected versions should take immediate action.

Recommendation

It is recommended to upgrade n8n-MCP to version 2.50.2 or later to mitigate this vulnerability. Additionally, conducting a security audit of the application to identify potential threats is advisable.

Original NVD description (English source)

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. From version 2.18.7 to before version 2.50.2, there is an authenticated server-side request forgery vulnerability affecting the webhook trigger tools, the n8n API client (N8N_API_URL), and per-request URLs supplied via the x-n8n-url header in multi-tenant HTTP mode. This issue has been patched in version 2.50.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS