Skip to main content

n8n EUVDEUVD-2026-42609

| CVE-2026-59207 HIGH
Protection Mechanism Failure (CWE-693)
2026-07-09 GitHub_M
7.1
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.1 HIGH

Authenticated member (PR:L) over the network; AC:H and S:C because a specific shared-credential/allowlist config is needed and the leaked secret crosses the authorization boundary; impact is chiefly confidentiality (C:H).

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 09, 2026 - 17:01 EUVD
Analysis Generated
Jul 09, 2026 - 16:23 vuln.today

DescriptionCVE.org

n8n is an open source workflow automation platform. Prior to 2.27.4 and 2.28.1, the AI Agents feature did not enforce the Allowed HTTP Request Domains restriction configured on credentials when an MCP tool was pointed at an arbitrary URL, allowing a member-level user with use-only access to a shared credential to send its secret to an external server they control. This issue is fixed in versions 2.27.4 and 2.28.1.

AnalysisAI

Credential secret exfiltration in n8n (self-hosted workflow automation) prior to 2.27.4 and 2.28.1 lets a low-privilege member with use-only access to a shared credential leak that secret to an attacker-controlled server. The AI Agents feature fails to enforce the 'Allowed HTTP Request Domains' restriction when an MCP tool is aimed at an arbitrary URL, so the guardrail meant to keep secrets in-bounds is bypassed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as member with use-only shared credential
Delivery
Create workflow with AI Agent and MCP tool
Exploit
Point MCP tool at attacker-controlled URL
Execution
Run workflow, bypassing domain allowlist
Persist
Credential secret exfiltrated to external server
Impact
Reuse stolen key for lateral access

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated member-level account (PR:L) that has been granted use-only access to a shared credential which has an 'Allowed HTTP Request Domains' restriction configured, plus a deployment where the AI Agents feature and MCP tools are enabled and the member can create/edit a workflow that aims an MCP tool at an attacker-chosen URL. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:L/UI:N, VC:H, SC:H) scoring 7.1 High is internally consistent with the description: network-reachable, low attacker privilege (a member account), no user interaction, but with an Attack Requirement (AT:P) reflecting that a shared credential configured with a domain allowlist must actually exist. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A member-level user who has been granted use-only access to a shared API credential builds or edits a workflow with an AI Agent node, attaches an MCP tool, and points it at a URL on a server they control. Because the 'Allowed HTTP Request Domains' restriction is not enforced on that path, executing the workflow sends the credential's secret to their external endpoint, handing them a key they were never authorized to read. …
Remediation Vendor-released patch: upgrade to n8n 2.27.4 (https://github.com/n8n-io/n8n/releases/tag/n8n%402.27.4) or 2.28.1 (https://github.com/n8n-io/n8n/releases/tag/n8n%402.28.1), depending on your release train, as documented in advisory GHSA-h44j-f5r5-ph73. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all n8n deployments, determine installed versions, and audit AI Agents feature usage with shared credentials. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in N8n

View all
CVE-2026-21877 CRITICAL POC
9.9 Jan 08

n8n workflow automation (through 1.121.2) allows authenticated users to execute arbitrary code via the n8n service, with

CVE-2026-21858 CRITICAL POC
10.0 Jan 08

n8n workflow automation (1.65.0 to 1.121.0) allows unauthenticated file access through form-based workflows. A critical

CVE-2026-1470 CRITICAL POC
9.9 Jan 27

n8n has a fifth critical RCE vulnerability (CVSS 9.9) in the Expression evaluator, enabling code execution through craft

CVE-2026-33660 CRITICAL POC
9.4 Mar 25

An authenticated user with workflow creation or modification privileges in n8n workflow automation platform can exploit

CVE-2026-33665 HIGH POC
8.8 Mar 25

Authenticated n8n users can hijack administrator accounts when LDAP authentication is enabled by manipulating their LDAP

CVE-2023-27563 HIGH POC
8.8 May 10

The n8n package 0.218.0 for Node.js allows Escalation of Privileges. Rated high severity (CVSS 8.8), this vulnerability

CVE-2026-0863 HIGH POC
8.5 Jan 18

Authenticated users can exploit string formatting and exception handling in n8n's Python task executor to escape sandbox

CVE-2023-27564 HIGH POC
7.5 May 10

The n8n package 0.218.0 for Node.js allows Information Disclosure. Rated high severity (CVSS 7.5), this vulnerability is

CVE-2023-27562 MEDIUM POC
6.5 May 10

The n8n package 0.218.0 for Node.js allows Directory Traversal. Rated medium severity (CVSS 6.5), this vulnerability is

CVE-2026-33724 MEDIUM POC
6.3 Mar 25

n8n versions prior to 2.5.0 contain a critical SSH host key verification bypass in the Source Control feature that allow

CVE-2026-33720 MEDIUM POC
6.3 Mar 25

This vulnerability in n8n (an open-source workflow automation platform) is an authentication bypass in the OAuth callbac

CVE-2026-27577 CRITICAL
9.9 Feb 25

Additional expression evaluation exploits in n8n before 2.10.1/2.9.3/1.123.22. Fourth distinct code execution path throu

Share

EUVD-2026-42609 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy