If your organization uses n8n to build AI agent workflows that accept external user input and route it through LDAP authentication nodes, you are exposed to authentication bypass and unauthorized LDAP data retrieval. Exploitation requires a specific workflow configuration (LDAP node + user-controlled expressions), but this pattern is common in enterprise identity-integrated automation. Upgrade to n8n 1.123.27, 2.13.3, or 2.14.1 immediately; if you cannot patch, disable the LDAP node via NODES_EXCLUDE environment variable.
What is the risk?
CVSS 4.8 understates practical risk in AI agent deployments. While attack complexity is rated HIGH (specific workflow config required), n8n is increasingly used to build AI agent pipelines with LDAP-backed authentication — the exact vulnerable pattern. No authentication or user interaction is required from the attacker once a susceptible workflow is exposed via webhook or form. Blast radius is bounded by the LDAP directory scope and workflow permissions, but in enterprise environments this could mean broad directory enumeration or authentication bypass for identity-integrated AI agents. EPSS is near-zero (0.00075) and not in KEV, indicating no observed in-the-wild exploitation, but the vulnerability class (LDAP injection) is well-understood and tooled.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| n8n | npm | < 1.123.27 | 1.123.27 |
Do you use n8n? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
PATCH
Upgrade to n8n 1.123.27 (v1 branch), 2.13.3, or 2.14.1 immediately. These versions fix the filter escape logic in the LDAP node.
-
DISABLE (if patching is not immediate): Set environment variable NODES_EXCLUDE=n8n-nodes-base.ldap to prevent LDAP node execution.
-
RESTRICT
Limit workflow creation/editing to fully trusted users — prevent untrusted users from introducing LDAP nodes with unvalidated expressions.
-
SANITIZE INPUT
Audit existing workflows using the LDAP node; ensure any external input passed via expressions is validated or allow-listed before interpolation into LDAP filters.
-
DETECT
Review n8n workflow logs for anomalous LDAP filter patterns containing metacharacters (*, (, ), \, NUL). Alert on LDAP queries returning unusually large result sets.
-
AUDIT
Inventory all n8n workflows using the LDAP node and map which accept external input via webhooks, forms, or HTTP triggers.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-33751?
If your organization uses n8n to build AI agent workflows that accept external user input and route it through LDAP authentication nodes, you are exposed to authentication bypass and unauthorized LDAP data retrieval. Exploitation requires a specific workflow configuration (LDAP node + user-controlled expressions), but this pattern is common in enterprise identity-integrated automation. Upgrade to n8n 1.123.27, 2.13.3, or 2.14.1 immediately; if you cannot patch, disable the LDAP node via NODES_EXCLUDE environment variable.
Is CVE-2026-33751 actively exploited?
No confirmed active exploitation of CVE-2026-33751 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-33751?
1. PATCH: Upgrade to n8n 1.123.27 (v1 branch), 2.13.3, or 2.14.1 immediately. These versions fix the filter escape logic in the LDAP node. 2. DISABLE (if patching is not immediate): Set environment variable NODES_EXCLUDE=n8n-nodes-base.ldap to prevent LDAP node execution. 3. RESTRICT: Limit workflow creation/editing to fully trusted users — prevent untrusted users from introducing LDAP nodes with unvalidated expressions. 4. SANITIZE INPUT: Audit existing workflows using the LDAP node; ensure any external input passed via expressions is validated or allow-listed before interpolation into LDAP filters. 5. DETECT: Review n8n workflow logs for anomalous LDAP filter patterns containing metacharacters (*, (, ), \, NUL). Alert on LDAP queries returning unusually large result sets. 6. AUDIT: Inventory all n8n workflows using the LDAP node and map which accept external input via webhooks, forms, or HTTP triggers.
What systems are affected by CVE-2026-33751?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation, enterprise identity integration, AI agent pipelines with external input.
What is the CVSS score for CVE-2026-33751?
CVE-2026-33751 has a CVSS v3.1 base score of 4.8 (MEDIUM). The EPSS exploitation probability is 0.24%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0049 Exploit Public-Facing Application AML.T0053 AI Agent Tool Invocation Compliance Controls Affected
What are the technical details?
Original Advisory
n8n is an open source workflow automation platform. Prior to versions 1.123.27, 2.13.3, and 2.14.1, a flaw in the LDAP node's filter escape logic allowed LDAP metacharacters to pass through unescaped when user-controlled input was interpolated into LDAP search filters. In workflows where external user input is passed via expressions into the LDAP node's search parameters, an attacker could manipulate the constructed filter to retrieve unintended LDAP records or bypass authentication checks implemented in the workflow. Exploitation requires a specific workflow configuration. The LDAP node must be used with user-controlled input passed via expressions (e.g., from a form or webhook). The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, disable the LDAP node by adding `n8n-nodes-base.ldap` to the `NODES_EXCLUDE` environment variable, and/or avoid passing unvalidated external user input into LDAP node search parameters via expressions. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Exploitation Scenario
An adversary targets an organization using n8n to power an AI agent that authenticates users against Active Directory before granting access to sensitive workflows. The n8n instance exposes a webhook endpoint that accepts a username parameter, which is interpolated via an expression into an LDAP search filter: (&(objectClass=user)(sAMAccountName={{$json.username}})). The attacker submits username=*)(|(objectClass=* — injecting LDAP metacharacters that transform the filter into (&(objectClass=user)(sAMAccountName=*)(|(objectClass=*)) — effectively matching all LDAP objects and bypassing the intended user-specific lookup. Depending on workflow logic, this returns the first LDAP result (often an admin account), allowing authentication bypass. Alternatively, the attacker submits username=*)(memberOf=CN=Domain Admins,DC=corp,DC=local)(* to enumerate domain admin accounts, harvesting organizational structure without credentials.
Weaknesses (CWE)
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Primary
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Primary
CWE-90 — Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection'): The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.
- [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N References
Timeline
Related Vulnerabilities
CVE-2026-33663 10.0 n8n: member role steals plaintext HTTP credentials
Same package: n8n CVE-2026-33660 10.0 TensorFlow: type confusion NPD in tensor conversion
Same package: n8n CVE-2026-21858 10.0 n8n: Input Validation flaw enables exploitation
Same package: n8n CVE-2026-27577 9.9 n8n: Code Injection enables RCE
Same package: n8n CVE-2026-27494 9.9 n8n: security flaw enables exploitation
Same package: n8n