CVE-2026-56348 n8n CVE debrief

Who should care

Security teams and administrators responsible for n8n installations should be aware of this vulnerability. Authenticated users with credential access are at risk of being exploited. Organizations using n8n versions prior to 2.20.0 should prioritize patching to prevent potential credential exfiltration.

Technical summary

The vulnerability exists in the POST /rest/dynamic-node-parameters/options endpoint of n8n before 2.20.0. Authenticated users can bypass Allowed HTTP Request Domains restrictions, allowing them to cause the n8n server to issue HTTP requests with credentials to unauthorized hosts. This can lead to the exfiltration of sensitive authentication data. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

Patching to version 2.20.0 or later is strongly recommended. In the meantime, defenders should monitor for suspicious activity and restrict access to the affected endpoint.

Recommended defensive actions

• Patch n8n to version 2.20.0 or later
• Monitor for suspicious activity on the POST /rest/dynamic-node-parameters/options endpoint
• Restrict access to the affected endpoint
• Review and update Allowed HTTP Request Domains restrictions
• Implement additional monitoring for potential credential exfiltration

Evidence notes

The CVE-2026-56348 vulnerability was published on June 22, 2026, and modified on June 24, 2026. The vulnerability affects n8n versions prior to 2.20.0. The CVSS score for this vulnerability is 5.3, and it is considered medium severity. The CWE for this vulnerability is CWE-918.

Official resources