Improper access control in n8n - #VU137167
Published: July 8, 2026
n8n
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the GraphQL node when handling HTTP-based credentials for outbound requests. A remote user can configure the node to send requests to an attacker-controlled server to disclose sensitive information.
Only instances where a credential has "Allowed HTTP Request Domains" configured and is usable by non-owner users are vulnerable.