Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Authenticated member (PR:L) over the network; AC:H and S:C because a specific shared-credential/allowlist config is needed and the leaked secret crosses the authorization boundary; impact is chiefly confidentiality (C:H).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
n8n is an open source workflow automation platform. Prior to 2.27.4 and 2.28.1, the AI Agents feature did not enforce the Allowed HTTP Request Domains restriction configured on credentials when an MCP tool was pointed at an arbitrary URL, allowing a member-level user with use-only access to a shared credential to send its secret to an external server they control. This issue is fixed in versions 2.27.4 and 2.28.1.
AnalysisAI
Credential secret exfiltration in n8n (self-hosted workflow automation) prior to 2.27.4 and 2.28.1 lets a low-privilege member with use-only access to a shared credential leak that secret to an attacker-controlled server. The AI Agents feature fails to enforce the 'Allowed HTTP Request Domains' restriction when an MCP tool is aimed at an arbitrary URL, so the guardrail meant to keep secrets in-bounds is bypassed. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated member-level account (PR:L) that has been granted use-only access to a shared credential which has an 'Allowed HTTP Request Domains' restriction configured, plus a deployment where the AI Agents feature and MCP tools are enabled and the member can create/edit a workflow that aims an MCP tool at an attacker-chosen URL. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:L/UI:N, VC:H, SC:H) scoring 7.1 High is internally consistent with the description: network-reachable, low attacker privilege (a member account), no user interaction, but with an Attack Requirement (AT:P) reflecting that a shared credential configured with a domain allowlist must actually exist. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A member-level user who has been granted use-only access to a shared API credential builds or edits a workflow with an AI Agent node, attaches an MCP tool, and points it at a URL on a server they control. Because the 'Allowed HTTP Request Domains' restriction is not enforced on that path, executing the workflow sends the credential's secret to their external endpoint, handing them a key they were never authorized to read. … |
| Remediation | Vendor-released patch: upgrade to n8n 2.27.4 (https://github.com/n8n-io/n8n/releases/tag/n8n%402.27.4) or 2.28.1 (https://github.com/n8n-io/n8n/releases/tag/n8n%402.28.1), depending on your release train, as documented in advisory GHSA-h44j-f5r5-ph73. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all n8n deployments, determine installed versions, and audit AI Agents feature usage with shared credentials. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
n8n workflow automation (through 1.121.2) allows authenticated users to execute arbitrary code via the n8n service, with
n8n workflow automation (1.65.0 to 1.121.0) allows unauthenticated file access through form-based workflows. A critical
n8n has a fifth critical RCE vulnerability (CVSS 9.9) in the Expression evaluator, enabling code execution through craft
An authenticated user with workflow creation or modification privileges in n8n workflow automation platform can exploit
Authenticated n8n users can hijack administrator accounts when LDAP authentication is enabled by manipulating their LDAP
The n8n package 0.218.0 for Node.js allows Escalation of Privileges. Rated high severity (CVSS 8.8), this vulnerability
Authenticated users can exploit string formatting and exception handling in n8n's Python task executor to escape sandbox
The n8n package 0.218.0 for Node.js allows Information Disclosure. Rated high severity (CVSS 7.5), this vulnerability is
The n8n package 0.218.0 for Node.js allows Directory Traversal. Rated medium severity (CVSS 6.5), this vulnerability is
n8n versions prior to 2.5.0 contain a critical SSH host key verification bypass in the Source Control feature that allow
This vulnerability in n8n (an open-source workflow automation platform) is an authentication bypass in the OAuth callbac
Additional expression evaluation exploits in n8n before 2.10.1/2.9.3/1.123.22. Fourth distinct code execution path throu
Same weakness CWE-693 – Protection Mechanism Failure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42609