Skip to main content

n8n EUVDEUVD-2026-38479

| CVE-2026-54304 HIGH
Information Exposure (CWE-200)
2026-06-16 https://github.com/n8n-io/n8n GHSA-rm2v-h48j-895m
7.1
CVSS 4.0 · Vendor: https://github.com/n8n-io/n8n
Share

Severity by source

Vendor (https://github.com/n8n-io/n8n) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.7 HIGH

Network-reachable via authenticated workflow editor (PR:L), no user interaction, scope changes since a third-party API credential is exposed (S:C), confidentiality-only impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:N

Primary rating from Vendor (https://github.com/n8n-io/n8n).

CVSS VectorVendor: https://github.com/n8n-io/n8n

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 23, 2026 - 18:37 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 23, 2026 - 18:37 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 23, 2026 - 18:22 vuln.today
cvss_changed
CVSS changed
Jun 23, 2026 - 18:22 NVD
7.7 (HIGH) 7.1 (HIGH)
Source Code Evidence Fetched
Jun 17, 2026 - 00:15 vuln.today
Analysis Generated
Jun 17, 2026 - 00:15 vuln.today

DescriptionCVE.org

Impact

An authenticated user with permission to create or modify workflows and access to a SecurityScorecard credential with limited allowed domains could configure the SecurityScorecard node's report download operation to target an attacker-controlled URL. The node attached the SecurityScorecard API token to the outbound request, causing the credential to be sent to the attacker-controlled host bypassing credential configured limitations and exfiltrating.

Patches

The issue has been fixed in n8n versions 1.123.55, 2.25.7, and 2.26.1. Users should upgrade to one of these versions or later to remediate the vulnerability.

Workarounds

If upgrading is not immediately possible, administrators should consider the following temporary mitigations:

  • Limit workflow creation and editing permissions to fully trusted users only.
  • Disable the SecurityScorecard node by adding n8n-nodes-base.securityScorecard to the NODES_EXCLUDE environment variable.

These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

AnalysisAI

Credential exfiltration in n8n workflow automation platform allows authenticated workflow editors to leak SecurityScorecard API tokens to attacker-controlled hosts. The SecurityScorecard node's report download operation fails to validate the target URL against the credential's allowed-domains restriction, attaching the API token to outbound requests directed at arbitrary attacker URLs. No public exploit identified at time of analysis, but the upstream fix is published and traceable through the vendor's GitHub Security Advisory.

Technical ContextAI

n8n is a popular Node.js-based workflow automation platform (distributed via npm as 'n8n') that lets users build integrations between SaaS services using pre-built 'nodes'. The flawed SecurityScorecard node provides a report-download operation that takes a URL parameter; the bug is a CWE-200 (Exposure of Sensitive Information) class issue where the node attaches the bound credential's API bearer token to the outbound HTTP request without first validating that the destination URL matches the allow-listed domains configured on the credential. This bypasses n8n's credential-scoping protection and effectively turns a server-side request feature into a credential-exfiltration primitive.

RemediationAI

Vendor-released patch: upgrade n8n to 1.123.55, 2.25.7, or 2.26.1 (or later) per the vendor advisory at https://github.com/n8n-io/n8n/security/advisories/GHSA-rm2v-h48j-895m. If immediate upgrade is not feasible, disable the affected node by adding 'n8n-nodes-base.securityScorecard' to the NODES_EXCLUDE environment variable (this breaks any existing workflows that rely on SecurityScorecard integration), and tighten workflow-creation and editing permissions to fully trusted users only (reducing collaboration utility but shrinking the attacker pool). As a defense-in-depth measure, rotate any SecurityScorecard API tokens that were configured in n8n before patching, since the vulnerability allowed silent exfiltration prior to remediation.

Share

EUVD-2026-38479 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy