CVE-2026-33751 in n8n
Summary
by MITRE • 03/25/2026
n8n is an open source workflow automation platform. Prior to versions 1.123.27, 2.13.3, and 2.14.1, a flaw in the LDAP node's filter escape logic allowed LDAP metacharacters to pass through unescaped when user-controlled input was interpolated into LDAP search filters. In workflows where external user input is passed via expressions into the LDAP node's search parameters, an attacker could manipulate the constructed filter to retrieve unintended LDAP records or bypass authentication checks implemented in the workflow. Exploitation requires a specific workflow configuration. The LDAP node must be used with user-controlled input passed via expressions (e.g., from a form or webhook). The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, disable the LDAP node by adding `n8n-nodes-base.ldap` to the `NODES_EXCLUDE` environment variable, and/or avoid passing unvalidated external user input into LDAP node search parameters via expressions. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/01/2026
The vulnerability identified as CVE-2026-33751 affects n8n, an open source workflow automation platform, where a critical flaw exists in the LDAP node's filter escape logic. This vulnerability stems from improper handling of user-controlled input within LDAP search filters, creating a path for malicious manipulation of authentication and authorization workflows. The flaw specifically manifests when external user input is interpolated into LDAP search parameters through expressions, allowing attackers to exploit the lack of proper escaping mechanisms.
This vulnerability represents a classic injection flaw that aligns with CWE-77 and CWE-91, categorizing it as an LDAP injection vulnerability where metacharacters are not properly escaped during filter construction. The technical implementation defect occurs in the LDAP node's parameter interpolation process, where user-supplied data bypasses sanitization routines that should escape special LDAP characters such as asterisks, parentheses, and other metacharacters used in LDAP filter syntax. The vulnerability requires specific workflow configurations to be exploitable, namely when the LDAP node is utilized with user-controlled input passed through expressions from external sources like forms or webhooks.
The operational impact of this vulnerability extends beyond simple data retrieval, as it can enable attackers to bypass authentication mechanisms implemented within n8n workflows. An attacker could manipulate LDAP search filters to retrieve unintended records, potentially accessing sensitive user information or even escalating privileges through crafted filter expressions. This creates a significant risk for organizations relying on n8n for authentication workflows or systems where LDAP integration is used for access control. The vulnerability's exploitation requires a specific attack vector involving workflow configuration, making it less likely to be exploited broadly but still poses a serious threat to environments where such workflows exist.
The remediation process requires upgrading to specific patched versions of n8n, with versions 1.123.27, 2.13.3, and 2.14.1 providing the necessary fixes for this vulnerability. These updates implement proper escaping mechanisms for LDAP metacharacters and ensure that user-controlled input is appropriately sanitized before being incorporated into LDAP search filters. Organizations should prioritize upgrading their n8n installations to these patched versions to fully address the vulnerability. However, during the transition period or when immediate upgrades are not feasible, administrators can implement several temporary mitigations including restricting workflow creation permissions to fully trusted users, disabling the LDAP node entirely through environment variable configuration, and avoiding the use of unvalidated external input in LDAP node parameters.
The temporary mitigations recommended by the vendor align with defensive programming principles and access control best practices, though they represent incomplete solutions that do not fully eliminate the risk. Limiting workflow permissions addresses the attack surface by restricting who can create potentially vulnerable workflows, while disabling the LDAP node removes the specific vulnerable functionality from operation. These measures should be considered emergency responses rather than permanent solutions, as they may impact legitimate workflow functionality. The vulnerability's classification under the ATT&CK framework would fall within the credential access and defense evasion domains, as it enables both unauthorized access through authentication bypass and can be used to evade detection through manipulated search results. Organizations should conduct thorough security assessments of their n8n deployments to identify all workflows utilizing the LDAP node and ensure proper patching or mitigation implementation across their environments.