Package impact
npm / n8n-mcp
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-44694 | critical | 9.1 | 9.1 | 22d ago | n8n-mcp webhook and API client paths has an authenticated SSRF | |||
| CVE-2026-42449 | high | 8.5 | 8.5 | 23d ago | n8n-mcp's IPv4-mapped IPv6 addresses bypass SSRF protection in validateUrlSync(), enabling full SSRF for SDK embedders | |||
| CVE-2026-45707 | high | 8.1 | 8.1 | 12d ago | n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.2, when ENABLE_MULTI_TENANT=true, the HTTP transport documents that th… |