Description
n8n before 2.20.0 contains a credential exfiltration vulnerability in the POST /rest/dynamic-node-parameters/options endpoint that allows authenticated users to bypass Allowed HTTP Request Domains restrictions. Attackers with credential access can cause the n8n server to issue HTTP requests with credentials to unauthorized hosts, exfiltrating sensitive authentication data.
Published: 2026-06-22
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a server‑side request forgery flaw that allows an authenticated n8n user to bypass the Allowed HTTP Request Domains restriction on the POST /rest/dynamic-node-parameters/options endpoint. By sending crafted requests, the attacker can cause the n8n server to initiate HTTP calls to arbitrary hosts, delivering credentials stored on the server to those endpoints. The exposed data may include authentication tokens or other sensitive configuration values, compromising the integrity and confidentiality of the system.

Affected Systems

n8n is affected in all releases prior to 2.20.0. Hosts running these earlier versions are vulnerable, while versions 2.20.0 and later contain the fix.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with sufficient privileges to access the dynamic-node-parameters endpoint, after which the attacker can direct the server to transmit credentials to unauthorized hosts. No additional prerequisites such as network reachability are stated, so the risk is limited to environments where such users exist.

Generated by OpenCVE AI on June 22, 2026 at 23:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to n8n version 2.20.0 or later to eliminate the SSRF flaw (CWE‑918).
  • If an upgrade cannot be performed immediately, limit or remove access to the /rest/dynamic-node-parameters/options endpoint for users who do not need it, or block the endpoint behind a reverse proxy or firewall rule.
  • Enforce outbound firewall rules that restrict the n8n server to communicate only with approved hosts, ensuring that credentials cannot be sent to unauthorized destinations.

Generated by OpenCVE AI on June 22, 2026 at 23:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3875-8gcx-7v46 n8n: Credential exfiltration via Allowed HTTP Request Domains Bypass
History

Mon, 22 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description n8n before 2.20.0 contains a credential exfiltration vulnerability in the POST /rest/dynamic-node-parameters/options endpoint that allows authenticated users to bypass Allowed HTTP Request Domains restrictions. Attackers with credential access can cause the n8n server to issue HTTP requests with credentials to unauthorized hosts, exfiltrating sensitive authentication data.
Title n8n - Credential Exfiltration via Allowed HTTP Request Domains Bypass in Dynamic Node Parameters Endpoint
First Time appeared N8n
N8n n8n
Weaknesses CWE-918
CPEs cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*
Vendors & Products N8n
N8n n8n
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

N8n N8n
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T21:04:51.642Z

Reserved: 2026-06-20T18:13:07.363Z

Link: CVE-2026-56348

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T02:45:16Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)