CVE-2026-56348 | n8n before 2.20.0 contains a credential exfiltration vulnera… | CVSS 9.1 CRITICAL

Description

n8n before 2.20.0 contains a credential exfiltration vulnerability in the POST /rest/dynamic-node-parameters/options endpoint that allows authenticated users to bypass Allowed HTTP Request Domains restrictions. Attackers with credential access can cause the n8n server to issue HTTP requests with credentials to unauthorized hosts, exfiltrating sensitive authentication data.

Metadata

CVE ID: CVE-2026-56348
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-20 18:13 UTC
Published: 2026-06-22 21:04 UTC
Last updated: 2026-06-22 21:04 UTC
Primary CWE: CWE-918
Server-Side Request Forgery (SSRF)
Vendor / Product: n8n / n8n
Sources: cve.org · NVD

Severity & Metrics

9.1 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

Affected products (1)

Vendor	Product	Platform	Versions
n8n	n8n	—	0 < 2.20.0, 2.20.0

Weakness (CWE)

CWE	Source	Description
CWE-918	cna	Server-Side Request Forgery (SSRF)

CVSS scores (2)

Score	Severity	Version	Source	Vector
9.1	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
5.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L

References (2)

GitHub Security Advisory (GHSA-3875-8gcx-7v46) https://github.com/n8n-io/n8n/security/advisories/GHSA-3875-8gcx-7v46
VulnCheck Advisory: n8n - Credential Exfiltration via Allowed HTTP Request Domains Bypass in Dynamic Node Parameters Endpoint https://www.vulncheck.com/advisories/n8n-credential-exfiltration-via-allowed-http-request-domains-bypass-in-dynamic-node-parameters-endpoint