Skip to main content

LDAP CVE-2026-33751

| EUVDEUVD-2026-15958 MEDIUM
LDAP Injection (CWE-90)
2026-03-25 GitHub_M GHSA-w83q-mcmx-mh42
6.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 19:02 euvd
EUVD-2026-15958
Analysis Generated
Mar 25, 2026 - 19:02 vuln.today
CVE Published
Mar 25, 2026 - 18:47 nvd
MEDIUM 6.3

DescriptionGitHub Advisory

n8n is an open source workflow automation platform. Prior to versions 1.123.27, 2.13.3, and 2.14.1, a flaw in the LDAP node's filter escape logic allowed LDAP metacharacters to pass through unescaped when user-controlled input was interpolated into LDAP search filters. In workflows where external user input is passed via expressions into the LDAP node's search parameters, an attacker could manipulate the constructed filter to retrieve unintended LDAP records or bypass authentication checks implemented in the workflow. Exploitation requires a specific workflow configuration. The LDAP node must be used with user-controlled input passed via expressions (e.g., from a form or webhook). The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, disable the LDAP node by adding n8n-nodes-base.ldap to the NODES_EXCLUDE environment variable, and/or avoid passing unvalidated external user input into LDAP node search parameters via expressions. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

AnalysisAI

n8n contains an LDAP injection vulnerability in the LDAP node's filter escape logic that allows LDAP metacharacters to pass through unescaped when user-controlled input is interpolated into LDAP search filters. This affects n8n versions prior to 1.123.27, 2.13.3, and 2.14.1, enabling attackers to manipulate LDAP queries to retrieve unintended directory records or bypass authentication controls implemented within workflows. The vulnerability requires specific workflow configuration (LDAP node receiving external user input via expressions) and has not been publicly reported as actively exploited, though no proof-of-concept availability is explicitly confirmed across available intelligence sources.

Technical ContextAI

The vulnerability roots in CWE-90 (Improper Neutralization of Special Elements used in an LDAP Query, also known as LDAP Injection), a code injection flaw class where untrusted input containing LDAP metacharacters is not properly escaped before being concatenated into LDAP filter strings. The n8n LDAP node (identified in CPE as cpe:2.3:a:n8n-io:n8n) is a workflow automation component that constructs LDAP search filters dynamically. When workflows use expression interpolation to embed external user input (from webhooks, forms, or API calls) directly into LDAP filter parameters without sanitization, attackers can inject LDAP filter syntax operators such as asterisks (*), parentheses, and logical operators (|, &, !) to modify query semantics, similar to SQL injection but targeting LDAP directory protocols.

RemediationAI

Immediately upgrade n8n to version 1.123.27, 2.13.3, 2.14.1, or later (see vendor advisory at https://github.com/n8n-io/n8n/security/advisories/GHSA-w83q-mcmx-mh42). Until patching is feasible, implement the following temporary mitigations: restrict workflow creation and editing permissions to fully trusted internal users only, exclude the LDAP node entirely by adding n8n-nodes-base.ldap to the NODES_EXCLUDE environment variable, and audit existing workflows to identify and remove any instances where external user input (from webhooks, forms, or API parameters) is passed via expressions into LDAP node search filters. These workarounds do not fully eliminate risk and should be treated as short-term measures only pending upgrade.

More in LDAP

View all
CVE-2016-9299 CRITICAL POC
9.8 Jan 12

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a

CVE-2017-14596 CRITICAL POC
9.8 Sep 20

In Joomla!. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required,

CVE-2017-8790 CRITICAL POC
9.8 May 05

An issue was discovered on Accellion FTA devices before FTA_9_12_180. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2023-28853 MEDIUM POC
6.5 Apr 04

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut

CVE-2020-36966 MEDIUM POC
6.4 Jan 30

Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows at

CVE-2025-36556 MEDIUM POC
6.1 Jan 20

A reflected cross-site scripting (xss) vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6

CVE-2026-23906 CRITICAL
9.8 Feb 10

Authentication bypass in Apache Druid versions 0.17.0 through 35.x. Affects all versions prior to 36.0.0 when specific p

CVE-2026-44930 CRITICAL
9.8 May 22

Arbitrary certificate disclosure in Apache CXF's XKMS server lets remote attackers abuse an LDAP injection flaw (CWE-90)

CVE-2024-33868 CRITICAL
9.8 May 14

An issue was discovered in linqi before 1.4.0.1 on Windows. Rated critical severity (CVSS 9.8), this vulnerability is re

CVE-2023-6905 CRITICAL
9.8 Dec 18

A vulnerability, which was classified as problematic, has been found in Jahastech NxFilter 4.3.2.5.jsp?actionFlag=test&i

CVE-2021-43350 CRITICAL
9.8 Nov 11

An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the P

CVE-2026-21880 MEDIUM POC
5.3 Jan 08

Kanboard versions 1.2.48 and earlier contain an LDAP injection vulnerability where unsanitized user input in the LDAP au

Share

CVE-2026-33751 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy