← Back
2026-06-22 21:4CVE-2026-56348VulnCheck
PUBLISHED5.2CWE-918

n8n - Credential Exfiltration via Allowed HTTP Request Domains Bypass in Dynamic Node Parameters Endpoint

n8n before 2.20.0 contains a credential exfiltration vulnerability in the POST /rest/dynamic-node-parameters/options endpoint that allows authenticated users to bypass Allowed HTTP Request Domains restrictions. Attackers with credential access can cause the n8n server to issue HTTP requests with credentials to unauthorized hosts, exfiltrating sensitive authentication data.

Problem type

Affected products

n8n

n8n

< 2.20.0 - AFFECTED

2.20.0 - UNAFFECTED

References

GitHub Security Advisory (GHSA-3875-8gcx-7v46)

https://github.com/n8n-io/n8n/security/advisories/GHSA-3875-8gcx-7v46

vendor-advisory
VulnCheck Advisory: n8n - Credential Exfiltration via Allowed HTTP Request Domains Bypass in Dynamic Node Parameters Endpoint

https://www.vulncheck.com/advisories/n8n-credential-exfiltration-via-allowed-http-request-domains-bypass-in-dynamic-node-parameters-endpoint

third-party-advisory

GitHub Security Advisories

GHSA-3875-8gcx-7v46

n8n: Credential exfiltration via Allowed HTTP Request Domains Bypass

https://github.com/advisories/GHSA-3875-8gcx-7v46

Impact

The POST /rest/dynamic-node-parameters/options endpoint allowed any authenticated user to cause the n8n server to issue HTTP requests including credentials bypassing the intended restrictions on which hosts could be contacted for that credential (Allowed HTTP Request Domains). The user needed to be authenticated and have access to the credential.

Patches

The issue has been fixed in n8n version 2.20.0. Users should upgrade to this version or later to remediate the vulnerability.

Workarounds

If upgrading is not immediately possible, administrators should consider the following temporary mitigations:

  • Restrict n8n access to fully trusted users only.
  • Limit credential sharing to users who genuinely require access to those credentials.

These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

github.com

https://github.com/n8n-io/n8n/security/advisories/GHSA-3875-8gcx-7v46

github.com

https://github.com/advisories/GHSA-3875-8gcx-7v46

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-56348
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-56348",
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "dateUpdated": "2026-06-22T21:04:51.642Z",
    "dateReserved": "2026-06-20T18:13:07.363Z",
    "datePublished": "2026-06-22T21:04:51.642Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck",
        "dateUpdated": "2026-06-22T21:04:51.642Z"
      },
      "datePublic": "2026-05-13T00:00:00.000Z",
      "title": "n8n - Credential Exfiltration via Allowed HTTP Request Domains Bypass in Dynamic Node Parameters Endpoint",
      "descriptions": [
        {
          "lang": "en",
          "value": "n8n before 2.20.0 contains a credential exfiltration vulnerability in the POST /rest/dynamic-node-parameters/options endpoint that allows authenticated users to bypass Allowed HTTP Request Domains restrictions. Attackers with credential access can cause the n8n server to issue HTTP requests with credentials to unauthorized hosts, exfiltrating sensitive authentication data."
        }
      ],
      "affected": [
        {
          "vendor": "n8n",
          "product": "n8n",
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "0",
              "status": "affected",
              "versionType": "semver",
              "lessThan": "2.20.0"
            },
            {
              "version": "2.20.0",
              "status": "unaffected",
              "versionType": "semver"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Server-Side Request Forgery (SSRF)",
              "cweId": "CWE-918",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-3875-8gcx-7v46",
          "name": "GitHub Security Advisory (GHSA-3875-8gcx-7v46)",
          "tags": [
            "vendor-advisory"
          ]
        },
        {
          "url": "https://www.vulncheck.com/advisories/n8n-credential-exfiltration-via-allowed-http-request-domains-bypass-in-dynamic-node-parameters-endpoint",
          "name": "VulnCheck Advisory: n8n - Credential Exfiltration via Allowed HTTP Request Domains Bypass in Dynamic Node Parameters Endpoint",
          "tags": [
            "third-party-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS"
        },
        {
          "format": "CVSS",
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "LOW",
            "userInteraction": "NONE",
            "scope": "CHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "availabilityImpact": "LOW",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL"
          }
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "vnth4nhnt",
          "type": "reporter"
        }
      ]
    }
  }
}