A critical server-side request forgery flaw in n8n before 2.20.0 lets authenticated users bypass domain restrictions and exfiltrate stored credentials to attacker-controlled hosts.
What Is It
CVE-2026-56348 is a credential exfiltration vulnerability (CWE-918, server-side request forgery) in the n8n workflow automation platform. It resides in the POST /rest/dynamic-node-parameters/options endpoint. Authenticated users can bypass the "Allowed HTTP Request Domains" restrictions, causing the n8n server to issue HTTP requests carrying credentials to unauthorized hosts. This allows attackers with credential access to exfiltrate sensitive authentication data.
NVD assigns a CVSS 3.1 base score of 9.1 (CRITICAL), vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L. A secondary CVSS 4.0 score of 5.3 (Medium) is also published. The attack is network-based, low-complexity, and requires only low privileges with no user interaction.
Why It Matters
The flaw turns an n8n instance's own credential store against its operators. Because n8n workflows commonly hold API keys, tokens, and authentication secrets for connected services, a successful bypass can leak those secrets to hosts the operator never authorized. The CVSS scope is marked Changed, reflecting impact beyond the vulnerable component itself. The high confidentiality impact and low privilege requirement make this attractive to any user who already has limited access to an instance.
What's Vulnerable
All n8n versions before 2.20.0 are affected (npm package pkg:npm/n8n). Version 2.20.0 and later are unaffected.
Patch Status
Upgrade to n8n 2.20.0 or later, which remediates the bypass. The fix is documented in the vendor GitHub security advisory and the VulnCheck advisory. No CISA KEV entry was supplied for this CVE, so there is no confirmation of active exploitation at this time.
Sources
- NVD, CVE-2026-56348: https://nvd.nist.gov/vuln/detail/CVE-2026-56348
- n8n GitHub Security Advisory (GHSA-3875-8gcx-7v46): https://github.com/n8n-io/n8n/security/advisories/GHSA-3875-8gcx-7v46
- VulnCheck Advisory: https://www.vulncheck.com/advisories/n8n-credential-exfiltration-via-allowed-http-request-domains-bypass-in-dynamic-node-parameters-endpoint