CVE-2026-33751 — MEDIUM (CVSS 4.8)

Q: Is CVE-2026-33751 actively exploited?

No confirmed active exploitation of CVE-2026-33751 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-33751?

1. PATCH: Upgrade to n8n 1.123.27 (v1 branch), 2.13.3, or 2.14.1 immediately. These versions fix the filter escape logic in the LDAP node. 2. DISABLE (if patching is not immediate): Set environment variable NODES_EXCLUDE=n8n-nodes-base.ldap to prevent LDAP node execution. 3. RESTRICT: Limit workflow creation/editing to fully trusted users — prevent untrusted users from introducing LDAP nodes with unvalidated expressions. 4. SANITIZE INPUT: Audit existing workflows using the LDAP node; ensure any external input passed via expressions is validated or allow-listed before interpolation into LDAP filters. 5. DETECT: Review n8n workflow logs for anomalous LDAP filter patterns containing metacharacters (*, (, ), \, NUL). Alert on LDAP queries returning unusually large result sets. 6. AUDIT: Inventory all n8n workflows using the LDAP node and map which accept external input via webhooks, forms, or HTTP triggers.

Q: What systems are affected by CVE-2026-33751?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation, enterprise identity integration, AI agent pipelines with external input.

Q: What is the CVSS score for CVE-2026-33751?

CVE-2026-33751 has a CVSS v3.1 base score of 4.8 (MEDIUM). The EPSS exploitation probability is 0.02%.

CISO Take

If your organization uses n8n to build AI agent workflows that accept external user input and route it through LDAP authentication nodes, you are exposed to authentication bypass and unauthorized LDAP data retrieval. Exploitation requires a specific workflow configuration (LDAP node + user-controlled expressions), but this pattern is common in enterprise identity-integrated automation. Upgrade to n8n 1.123.27, 2.13.3, or 2.14.1 immediately; if you cannot patch, disable the LDAP node via NODES_EXCLUDE environment variable.

What is the risk?

CVSS 4.8 understates practical risk in AI agent deployments. While attack complexity is rated HIGH (specific workflow config required), n8n is increasingly used to build AI agent pipelines with LDAP-backed authentication — the exact vulnerable pattern. No authentication or user interaction is required from the attacker once a susceptible workflow is exposed via webhook or form. Blast radius is bounded by the LDAP directory scope and workflow permissions, but in enterprise environments this could mean broad directory enumeration or authentication bypass for identity-integrated AI agents. EPSS is near-zero (0.00075) and not in KEV, indicating no observed in-the-wild exploitation, but the vulnerability class (LDAP injection) is well-understood and tooled.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 1.123.27	`1.123.27`
187.3K OpenSSF 6.1 16 dependents Pushed 5d ago 43% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

4.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 5% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC High

PR None

UI None

S Unchanged

C Low

I Low

A None

What should I do?

6 steps

PATCH

Upgrade to n8n 1.123.27 (v1 branch), 2.13.3, or 2.14.1 immediately. These versions fix the filter escape logic in the LDAP node.
DISABLE (if patching is not immediate): Set environment variable NODES_EXCLUDE=n8n-nodes-base.ldap to prevent LDAP node execution.
RESTRICT

Limit workflow creation/editing to fully trusted users — prevent untrusted users from introducing LDAP nodes with unvalidated expressions.
SANITIZE INPUT

Audit existing workflows using the LDAP node; ensure any external input passed via expressions is validated or allow-listed before interpolation into LDAP filters.
DETECT

Review n8n workflow logs for anomalous LDAP filter patterns containing metacharacters (*, (, ), \, NUL). Alert on LDAP queries returning unusually large result sets.
AUDIT

Inventory all n8n workflows using the LDAP node and map which accept external input via webhooks, forms, or HTTP triggers.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Extraction Agent Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.3 - Security of AI system inputs

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to recognize and respond to risks from AI system dependencies

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-33751?

If your organization uses n8n to build AI agent workflows that accept external user input and route it through LDAP authentication nodes, you are exposed to authentication bypass and unauthorized LDAP data retrieval. Exploitation requires a specific workflow configuration (LDAP node + user-controlled expressions), but this pattern is common in enterprise identity-integrated automation. Upgrade to n8n 1.123.27, 2.13.3, or 2.14.1 immediately; if you cannot patch, disable the LDAP node via NODES_EXCLUDE environment variable.

Is CVE-2026-33751 actively exploited?

No confirmed active exploitation of CVE-2026-33751 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-33751?

1. PATCH: Upgrade to n8n 1.123.27 (v1 branch), 2.13.3, or 2.14.1 immediately. These versions fix the filter escape logic in the LDAP node. 2. DISABLE (if patching is not immediate): Set environment variable NODES_EXCLUDE=n8n-nodes-base.ldap to prevent LDAP node execution. 3. RESTRICT: Limit workflow creation/editing to fully trusted users — prevent untrusted users from introducing LDAP nodes with unvalidated expressions. 4. SANITIZE INPUT: Audit existing workflows using the LDAP node; ensure any external input passed via expressions is validated or allow-listed before interpolation into LDAP filters. 5. DETECT: Review n8n workflow logs for anomalous LDAP filter patterns containing metacharacters (*, (, ), \, NUL). Alert on LDAP queries returning unusually large result sets. 6. AUDIT: Inventory all n8n workflows using the LDAP node and map which accept external input via webhooks, forms, or HTTP triggers.

What systems are affected by CVE-2026-33751?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation, enterprise identity integration, AI agent pipelines with external input.

What is the CVSS score for CVE-2026-33751?

CVE-2026-33751 has a CVSS v3.1 base score of 4.8 (MEDIUM). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to versions 1.123.27, 2.13.3, and 2.14.1, a flaw in the LDAP node's filter escape logic allowed LDAP metacharacters to pass through unescaped when user-controlled input was interpolated into LDAP search filters. In workflows where external user input is passed via expressions into the LDAP node's search parameters, an attacker could manipulate the constructed filter to retrieve unintended LDAP records or bypass authentication checks implemented in the workflow. Exploitation requires a specific workflow configuration. The LDAP node must be used with user-controlled input passed via expressions (e.g., from a form or webhook). The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, disable the LDAP node by adding `n8n-nodes-base.ldap` to the `NODES_EXCLUDE` environment variable, and/or avoid passing unvalidated external user input into LDAP node search parameters via expressions. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An adversary targets an organization using n8n to power an AI agent that authenticates users against Active Directory before granting access to sensitive workflows. The n8n instance exposes a webhook endpoint that accepts a username parameter, which is interpolated via an expression into an LDAP search filter: (&(objectClass=user)(sAMAccountName={{$json.username}})). The attacker submits username=*)(|(objectClass=* — injecting LDAP metacharacters that transform the filter into (&(objectClass=user)(sAMAccountName=*)(|(objectClass=*)) — effectively matching all LDAP objects and bypassing the intended user-specific lookup. Depending on workflow logic, this returns the first LDAP result (often an admin account), allowing authentication bypass. Alternatively, the attacker submits username=*)(memberOf=CN=Domain Admins,DC=corp,DC=local)(* to enumerate domain admin accounts, harvesting organizational structure without credentials.