LDAP injection in n8n - CVE-2026-33751
Published: April 23, 2026
Vulnerability identifier: #VU127211
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-33751
CWE-ID: CWE-90
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: n8n
Affected software:
n8n
n8n
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information or bypass authentication checks implemented in the workflow.
The vulnerability exists due to improper neutralization of special elements used in an LDAP query in the LDAP node filter escape logic when interpolating user-controlled input into LDAP search filters. A remote attacker can supply crafted input through expressions to disclose sensitive information or bypass authentication checks implemented in the workflow.
Exploitation requires a workflow configuration in which external user input is passed via expressions into the LDAP node's search parameters.
How to mitigate CVE-2026-33751
Install security update from vendor's website.