CVE-2026-56348 in n8n
Summary
by MITRE • 06/23/2026
n8n before 2.20.0 contains a credential exfiltration vulnerability in the POST /rest/dynamic-node-parameters/options endpoint that allows authenticated users to bypass Allowed HTTP Request Domains restrictions. Attackers with credential access can cause the n8n server to issue HTTP requests with credentials to unauthorized hosts, exfiltrating sensitive authentication data.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/23/2026
The vulnerability under discussion affects n8n versions prior to 2.20.0 and represents a critical credential exfiltration flaw within the dynamic node parameters functionality. This weakness exists in the POST /rest/dynamic-node-parameters/options endpoint which serves as an interface for retrieving dynamic configuration options for nodes within the workflow automation platform. The vulnerability arises from insufficient validation of HTTP request destinations, allowing authenticated users to bypass the Allowed HTTP Request Domains restrictions that are designed to prevent unauthorized network communications.
The technical implementation flaw stems from the lack of proper domain validation mechanisms when processing dynamic node parameters requests. When legitimate users submit requests to this endpoint, the system fails to adequately verify whether the target domains for outgoing HTTP requests fall within the permitted whitelist. This oversight creates a path for malicious actors who have gained credential access to manipulate the request parameters and redirect HTTP communications to unauthorized external hosts. The vulnerability specifically targets the authentication data handling mechanisms within n8n's HTTP request processing, where credentials are automatically included in outbound requests without proper destination validation.
From an operational impact perspective, this vulnerability enables authenticated attackers to exfiltrate sensitive authentication data from the n8n server environment. The compromised system can be coerced into making HTTP requests that include user credentials, API keys, or other sensitive information to attacker-controlled domains. This capability significantly undermines the security posture of organizations relying on n8n for workflow automation, as it allows unauthorized data leakage without requiring elevated privileges beyond standard user access. The attack vector is particularly concerning because it leverages legitimate system functionality to achieve malicious objectives, making detection more challenging.
The vulnerability aligns with CWE-918, which addresses Server-Side Request Forgery issues where applications fail to properly validate destination URLs for HTTP requests. From an ATT&CK framework perspective, this weakness maps to T1566.002 - Phishing via Service, as attackers can leverage the legitimate n8n infrastructure to harvest credentials from within the target environment. The exploitation requires only authenticated access to the system, making it particularly dangerous in environments where credential compromise is possible through social engineering or other attack vectors. Organizations should note that this vulnerability represents a privilege escalation risk when combined with other initial access methods.
Mitigation strategies include implementing strict domain validation for all HTTP requests originating from n8n's dynamic node parameters functionality, ensuring that outbound requests are limited to pre-approved domains only. The recommended approach involves updating to n8n version 2.20.0 or later where this vulnerability has been addressed through enhanced validation mechanisms. Additionally, organizations should implement network-level restrictions and monitoring for unusual outbound HTTP traffic patterns, particularly targeting the specific endpoint mentioned in the vulnerability description. Regular security audits of authentication data handling processes and implementation of principle of least privilege access controls can further reduce the attack surface. System administrators should also consider implementing web application firewalls to detect and block suspicious requests to the vulnerable endpoint.