Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
n8n is an open source workflow automation platform. Prior to versions 1.123.27, 2.13.3, and 2.14.1, a flaw in the LDAP node's filter escape logic allowed LDAP metacharacters to pass through unescaped when user-controlled input was interpolated into LDAP search filters. In workflows where external user input is passed via expressions into the LDAP node's search parameters, an attacker could manipulate the constructed filter to retrieve unintended LDAP records or bypass authentication checks implemented in the workflow. Exploitation requires a specific workflow configuration. The LDAP node must be used with user-controlled input passed via expressions (e.g., from a form or webhook). The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, disable the LDAP node by adding n8n-nodes-base.ldap to the NODES_EXCLUDE environment variable, and/or avoid passing unvalidated external user input into LDAP node search parameters via expressions. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
AnalysisAI
n8n contains an LDAP injection vulnerability in the LDAP node's filter escape logic that allows LDAP metacharacters to pass through unescaped when user-controlled input is interpolated into LDAP search filters. This affects n8n versions prior to 1.123.27, 2.13.3, and 2.14.1, enabling attackers to manipulate LDAP queries to retrieve unintended directory records or bypass authentication controls implemented within workflows. The vulnerability requires specific workflow configuration (LDAP node receiving external user input via expressions) and has not been publicly reported as actively exploited, though no proof-of-concept availability is explicitly confirmed across available intelligence sources.
Technical ContextAI
The vulnerability roots in CWE-90 (Improper Neutralization of Special Elements used in an LDAP Query, also known as LDAP Injection), a code injection flaw class where untrusted input containing LDAP metacharacters is not properly escaped before being concatenated into LDAP filter strings. The n8n LDAP node (identified in CPE as cpe:2.3:a:n8n-io:n8n) is a workflow automation component that constructs LDAP search filters dynamically. When workflows use expression interpolation to embed external user input (from webhooks, forms, or API calls) directly into LDAP filter parameters without sanitization, attackers can inject LDAP filter syntax operators such as asterisks (*), parentheses, and logical operators (|, &, !) to modify query semantics, similar to SQL injection but targeting LDAP directory protocols.
RemediationAI
Immediately upgrade n8n to version 1.123.27, 2.13.3, 2.14.1, or later (see vendor advisory at https://github.com/n8n-io/n8n/security/advisories/GHSA-w83q-mcmx-mh42). Until patching is feasible, implement the following temporary mitigations: restrict workflow creation and editing permissions to fully trusted internal users only, exclude the LDAP node entirely by adding n8n-nodes-base.ldap to the NODES_EXCLUDE environment variable, and audit existing workflows to identify and remove any instances where external user input (from webhooks, forms, or API parameters) is passed via expressions into LDAP node search filters. These workarounds do not fully eliminate risk and should be treated as short-term measures only pending upgrade.
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a
In Joomla!. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required,
An issue was discovered on Accellion FTA devices before FTA_9_12_180. Rated critical severity (CVSS 9.8), this vulnerabi
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut
Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows at
A reflected cross-site scripting (xss) vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6
Authentication bypass in Apache Druid versions 0.17.0 through 35.x. Affects all versions prior to 36.0.0 when specific p
Arbitrary certificate disclosure in Apache CXF's XKMS server lets remote attackers abuse an LDAP injection flaw (CWE-90)
An issue was discovered in linqi before 1.4.0.1 on Windows. Rated critical severity (CVSS 9.8), this vulnerability is re
A vulnerability, which was classified as problematic, has been found in Jahastech NxFilter 4.3.2.5.jsp?actionFlag=test&i
An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the P
Kanboard versions 1.2.48 and earlier contain an LDAP injection vulnerability where unsanitized user input in the LDAP au
Same weakness CWE-90 – LDAP Injection
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15958
GHSA-w83q-mcmx-mh42