CVE-2026-42449

Summary

n8n-mcp's IPv4-mapped IPv6 addresses bypass SSRF protection in validateUrlSync(), enabling full SSRF for SDK embedders

Severity

high

EPSS

0.2% (p10)

Also known as

GHSA-56c3-vfp2-5qqj

Published

2026-04-30

References

• https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-56c3-vfp2-5qqj
• https://nvd.nist.gov/vuln/detail/CVE-2026-42449
• https://github.com/czlonkowski/n8n-mcp/commit/9639f757853149f0cb16663cc8b6b6468f27a25f

Related advisories

• CVE-2026-45707 — high · npm/n8n-mcp
• GHSA-8g7g-hmwm-6rv2 — high · npm/n8n-mcp
• CVE-2026-44694 — high · npm/n8n-mcp
• GHSA-75hx-xj24-mqrw — high · npm/n8n-mcp
• CVE-2026-39974 — high · npm/n8n-mcp
• CVE-2026-45582 — medium · npm/n8n-mcp
• CVE-2026-42282 — medium · npm/n8n-mcp
• CVE-2026-41495 — medium · npm/n8n-mcp

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Summarize with AI

ChatGPTClaudePerplexity