SB20260205105 - Multiple vulnerabilities in n8n
Published: February 5, 2026 Updated: April 30, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Input validation error (CVE-ID: CVE-2026-25631)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to an error in the HTTP Request node's credential domain validation. A remote user can send requests with credentials to unintended domains.
2) Improper Authentication (CVE-ID: CVE-2026-33665)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to gain full access to another user's account.
The vulnerability exists due to improper authentication in LDAP account linking when matching an LDAP identity to an existing local account by email during login. A remote user can set their own LDAP email attribute to match another user's email and log in to gain full access to another user's account.
LDAP authentication must be configured and active, and the account linkage persists even if the LDAP email attribute is later reverted.
Remediation
Install update from vendor's website.