CVE-2026-42449 - n8n-mcp IPv4-mapped IPv6 SSRF

n8n-mcp versions 2.47.4 through 2.47.13 contain an SSRF bypass in the SDK embedder path. The synchronous SSRFProtection.validateUrlSync() validator did not apply IPv6 protections, so IPv4-mapped IPv6 URL hosts such as [::ffff:169.254.169.254] could bypass checks intended to block cloud metadata, localhost, and private network targets.

The reachable path is applications embedding n8n-mcp as an SDK through N8NDocumentationMCPServer, N8NMCPEngine, getN8nApiClient(), or validateInstanceContext() while accepting a user-controlled n8nApiUrl. Successful exploitation can make the server issue non-blind SSRF requests and forward the configured x-n8n-api-key header to an attacker-chosen destination.

Affected versions

Vulnerable: n8n-mcp >=2.47.4, <2.47.14
Fixed: n8n-mcp 2.47.14+
Primarily exposed: SDK embedders that accept user-controlled InstanceContext or n8nApiUrl values.

Indicator-of-exposure

The repository depends on n8n-mcp through npm, pnpm, Yarn, Bun, Docker, or an embedded SDK wrapper.
The resolved package version is >=2.47.4, <2.47.14.
Application code instantiates N8NDocumentationMCPServer or N8NMCPEngine, or calls getN8nApiClient() / validateInstanceContext().
Any caller, tenant, workspace config, environment override, webhook, API parameter, or stored integration setting can influence n8nApiUrl.
The runtime can egress to cloud metadata endpoints, loopback, RFC1918 ranges, or internal control-plane services.

Quick checks:

rg -n "n8n-mcp|N8NDocumentationMCPServer|N8NMCPEngine|getN8nApiClient|validateInstanceContext|n8nApiUrl" .
npm ls n8n-mcp
pnpm why n8n-mcp
yarn why n8n-mcp
rg -n "169\\.254\\.169\\.254|metadata\\.google|metadata\\.azure|InstanceContext|x-n8n-api-key" .

Remediation strategy

Upgrade n8n-mcp to 2.47.14+ everywhere this repo controls dependency or image selection.
Reject user-controlled n8nApiUrl values that use IP-literal hosts, bracketed IPv6, localhost, link-local, private, or metadata destinations before they reach the SDK.
Prefer internally configured n8n instance URLs over tenant- or user-supplied URLs. If tenants need custom instances, require an allow-list or an ownership-verification workflow.
Add egress controls that block metadata endpoints, loopback, RFC1918 ranges, and other internal networks from the process that runs n8n-mcp.
Rotate any n8n API key that may have been forwarded to an untrusted n8nApiUrl, and review logs for bracketed IPv6 or metadata-target attempts.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-42449 (n8n-mcp IPv4-mapped IPv6 SSRF bypass).
Produce exactly one output:

- A reviewer-ready PR/change request that upgrades `n8n-mcp`, closes reachable
  `n8nApiUrl` SSRF paths, adds regression coverage, and documents operator
  cleanup, or
- TRIAGE.md if this repository does not own an affected SDK embedder or safe
  patch path.

## Rules

- Scope only CVE-2026-42449.
- Do not make live requests to cloud metadata, loopback admin services, or
  private production networks while testing.
- Do not print, snapshot, or commit n8n API keys, MCP secrets, metadata tokens,
  request headers, or SSRF response bodies.
- Do not weaken URL validation to preserve backwards compatibility with unsafe
  IP-literal or private-network instance URLs.
- Do not auto-merge.

## Steps

1. Inventory every `n8n-mcp` dependency and deployment reference in package
   manifests, lockfiles, Dockerfiles, compose files, Helm values, SBOMs,
   generated dependency manifests, and MCP server configuration.
2. Determine whether any resolved version is `>=2.47.4, <2.47.14`.
3. Search application code for SDK embedder usage:
   - `N8NDocumentationMCPServer`;
   - `N8NMCPEngine`;
   - `getN8nApiClient()`;
   - `validateInstanceContext()`;
   - `InstanceContext`;
   - `n8nApiUrl`.
4. If the repository does not embed `n8n-mcp` as an SDK or never accepts a
   user-controlled `n8nApiUrl`, stop with `TRIAGE.md` documenting package
   versions, call-path evidence, and why the vulnerable path is not reachable.
5. Upgrade affected package references to `n8n-mcp >=2.47.14` using the repo's
   package manager. Regenerate lockfiles, container metadata, and SBOMs as
   appropriate.
6. Add or tighten pre-SDK validation for any configurable `n8nApiUrl`:
   - require `https:` unless local development has an explicit test-only path;
   - reject IP-literal hosts, including bracketed IPv6 and IPv4-mapped IPv6;
   - reject localhost, loopback, link-local, RFC1918, and cloud metadata hosts;
   - prefer a finite allow-list for approved n8n instance hostnames;
   - make validation fail closed before an `x-n8n-api-key` can be attached.
7. Add regression tests using inert URLs that prove the app rejects:
   - `http://[::ffff:169.254.169.254]/`;
   - `http://[::ffff:127.0.0.1]/`;
   - `http://169.254.169.254/`;
   - `http://127.0.0.1/`;
   - any project-specific private CIDR or internal host pattern.
8. Add deployment or runbook containment where this repository controls it:
   deny egress from the `n8n-mcp` process to metadata endpoints, loopback,
   RFC1918 ranges, link-local ranges, and internal service CIDRs that should
   never be n8n API targets.
9. Add a PR body section named `CVE-2026-42449 operator actions` that states:
   - whether the SDK embedder path was reachable;
   - which versions were upgraded;
   - whether user-controlled `n8nApiUrl` values existed;
   - which n8n API keys should be rotated if untrusted URLs were possible;
   - which logs should be reviewed for bracketed IPv6, IPv4-mapped IPv6,
     metadata-host, or private-network URL attempts.
10. Run the relevant validation: package-manager install check, unit tests,
    integration tests for URL validation, lint/typecheck, image build, deploy
    rendering, and dependency/security scans available in this repository.
11. Use PR title:
    `fix(sec): remediate CVE-2026-42449 in n8n-mcp`.

## Stop conditions

- This repository only runs the first-party `n8n-mcp` HTTP server and does not
  expose the affected SDK embedder path.
- The project does not control the dependency or container image selection.
- The only known `n8nApiUrl` source is hard-coded internal configuration, and
  a lockfile or image scan proves no vulnerable runtime remains.
- The fix would require accepting user-controlled private-network URLs as a
  product feature; document the risk and require a product/security decision.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Verification - what the reviewer looks for

No package, lockfile, image, or SBOM controlled by the repo resolves n8n-mcp >=2.47.4, <2.47.14.
If the SDK embedder path is reachable, n8nApiUrl validation fails closed before API keys are attached to outbound requests.
Tests cover bracketed IPv6 and IPv4-mapped IPv6 metadata/loopback targets.
Runtime egress policy blocks metadata, private network, link-local, and loopback destinations from the n8n-mcp process.
The PR states whether API-key rotation and log review are required.

Watch for

Repositories that update package.json but leave package-lock.json, pnpm-lock.yaml, yarn.lock, Docker layers, or SBOMs on vulnerable versions.
Wrapper code that validates URLs on one API path while background jobs, tenant settings, or stored integration records still pass raw n8nApiUrl values into the SDK.
Tests that only cover dotted IPv4 private addresses and miss bracketed IPv6 forms.
Logging middleware that captures x-n8n-api-key headers or SSRF response bodies during failed validation tests.

References

GitHub Advisory: https://github.com/advisories/GHSA-56c3-vfp2-5qqj
Fix commit: https://github.com/czlonkowski/n8n-mcp/commit/9639f75