SB20260205105 - Multiple vulnerabilities in n8n



SB20260205105 - Multiple vulnerabilities in n8n

Published: February 5, 2026 Updated: April 30, 2026

Security Bulletin ID SB20260205105
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Input validation error (CVE-ID: CVE-2026-25631)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to an error in the HTTP Request node's credential domain validation. A remote user can send requests with credentials to unintended domains.


2) Improper Authentication (CVE-ID: CVE-2026-33665)

CWE-ID: CWE-287 - Improper Authentication

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to gain full access to another user's account.

The vulnerability exists due to improper authentication in LDAP account linking when matching an LDAP identity to an existing local account by email during login. A remote user can set their own LDAP email attribute to match another user's email and log in to gain full access to another user's account.

LDAP authentication must be configured and active, and the account linkage persists even if the LDAP email attribute is later reverted.


Remediation

Install update from vendor's website.