CVE-2026-59207 in n8n
Summary
by MITRE • 07/09/2026
n8n is an open source workflow automation platform. Prior to 2.27.4 and 2.28.1, the AI Agents feature did not enforce the Allowed HTTP Request Domains restriction configured on credentials when an MCP tool was pointed at an arbitrary URL, allowing a member-level user with use-only access to a shared credential to send its secret to an external server they control. This issue is fixed in versions 2.27.4 and 2.28.1.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/09/2026
The vulnerability in n8n workflow automation platform represents a critical authorization bypass affecting versions prior to 2.27.4 and 2.28.1, specifically within the AI Agents feature that utilizes MCP tools. This flaw stems from insufficient validation of HTTP request domains when executing tool calls against arbitrary URLs, creating a significant security gap that allows unauthorized data exfiltration. The vulnerability manifests when a member-level user with limited use-only access to shared credentials can circumvent configured domain restrictions and direct sensitive information to attacker-controlled external servers.
Technical exploitation occurs through the AI Agents functionality where MCP (Model Context Protocol) tools are configured to interact with arbitrary endpoints. The system fails to properly validate that requested domains align with the allowed HTTP request domains specified in credential configurations, creating a path for malicious actors to bypass access controls. This represents a violation of the principle of least privilege as defined in cybersecurity frameworks and allows unauthorized users to leverage legitimate shared credentials for unauthorized external communications.
The operational impact of this vulnerability extends beyond simple data leakage, as it enables potential credential compromise and unauthorized service access. A malicious user with minimal permissions can exploit this flaw to send sensitive authentication tokens, API keys, or other credential information to external servers they control, effectively escalating their privileges through credential reuse attacks. This issue directly relates to CWE-639: Authorization Bypass Through User-Controlled Key, which describes how applications fail to properly validate user inputs that control access to resources.
Security implications include potential compromise of shared credential integrity and unauthorized data exfiltration scenarios where attackers can establish command and control channels through legitimate workflow automation processes. The vulnerability affects organizations using n8n's AI Agents feature who have configured shared credentials with restricted domain allowances, as the protection mechanism fails when MCP tools are pointed at arbitrary URLs.
Mitigation strategies should focus on immediate deployment of patched versions 2.27.4 and 2.28.1, followed by comprehensive review of credential configurations to ensure proper domain restrictions are enforced across all workflow automation components. Organizations should implement additional monitoring for unusual external communications from their n8n instances and consider network-level controls to restrict outbound connections from automation platforms. The fix addresses the core issue by enforcing domain validation checks that align with established security practices outlined in the MITRE ATT&CK framework for credential access and defense evasion techniques, particularly targeting T1566.002: Phishing for Information and T1071.004: Application Layer Protocol: DNS to prevent unauthorized external communications from automated workflows.