CVE-2026-33751: n8n: LDAP injection enables auth bypass in workflows

GHSA-w83q-mcmx-mh42 MEDIUM
Published March 25, 2026
CISO Take

If your organization uses n8n to build AI agent workflows that accept external user input and route it through LDAP authentication nodes, you are exposed to authentication bypass and unauthorized LDAP data retrieval. Exploitation requires a specific workflow configuration (LDAP node + user-controlled expressions), but this pattern is common in enterprise identity-integrated automation. Upgrade to n8n 1.123.27, 2.13.3, or 2.14.1 immediately; if you cannot patch, disable the LDAP node via NODES_EXCLUDE environment variable.

What is the risk?

CVSS 4.8 understates practical risk in AI agent deployments. While attack complexity is rated HIGH (specific workflow config required), n8n is increasingly used to build AI agent pipelines with LDAP-backed authentication — the exact vulnerable pattern. No authentication or user interaction is required from the attacker once a susceptible workflow is exposed via webhook or form. Blast radius is bounded by the LDAP directory scope and workflow permissions, but in enterprise environments this could mean broad directory enumeration or authentication bypass for identity-integrated AI agents. EPSS is near-zero (0.00075) and not in KEV, indicating no observed in-the-wild exploitation, but the vulnerability class (LDAP injection) is well-understood and tooled.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm < 1.123.27 1.123.27
194.3K OpenSSF 6.6 Pushed 6d ago 53% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1
4.8 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 16% of all CVEs
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC High
PR None
UI None
S Unchanged
C Low
I Low
A None

What should I do?

6 steps
  1. PATCH

    Upgrade to n8n 1.123.27 (v1 branch), 2.13.3, or 2.14.1 immediately. These versions fix the filter escape logic in the LDAP node.

  2. DISABLE (if patching is not immediate): Set environment variable NODES_EXCLUDE=n8n-nodes-base.ldap to prevent LDAP node execution.

  3. RESTRICT

    Limit workflow creation/editing to fully trusted users — prevent untrusted users from introducing LDAP nodes with unvalidated expressions.

  4. SANITIZE INPUT

    Audit existing workflows using the LDAP node; ensure any external input passed via expressions is validated or allow-listed before interpolation into LDAP filters.

  5. DETECT

    Review n8n workflow logs for anomalous LDAP filter patterns containing metacharacters (*, (, ), \, NUL). Alert on LDAP queries returning unusually large result sets.

  6. AUDIT

    Inventory all n8n workflows using the LDAP node and map which accept external input via webhooks, forms, or HTTP triggers.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.9.3 - Security of AI system inputs
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place to recognize and respond to risks from AI system dependencies
OWASP LLM Top 10
LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-33751?

If your organization uses n8n to build AI agent workflows that accept external user input and route it through LDAP authentication nodes, you are exposed to authentication bypass and unauthorized LDAP data retrieval. Exploitation requires a specific workflow configuration (LDAP node + user-controlled expressions), but this pattern is common in enterprise identity-integrated automation. Upgrade to n8n 1.123.27, 2.13.3, or 2.14.1 immediately; if you cannot patch, disable the LDAP node via NODES_EXCLUDE environment variable.

Is CVE-2026-33751 actively exploited?

No confirmed active exploitation of CVE-2026-33751 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-33751?

1. PATCH: Upgrade to n8n 1.123.27 (v1 branch), 2.13.3, or 2.14.1 immediately. These versions fix the filter escape logic in the LDAP node. 2. DISABLE (if patching is not immediate): Set environment variable NODES_EXCLUDE=n8n-nodes-base.ldap to prevent LDAP node execution. 3. RESTRICT: Limit workflow creation/editing to fully trusted users — prevent untrusted users from introducing LDAP nodes with unvalidated expressions. 4. SANITIZE INPUT: Audit existing workflows using the LDAP node; ensure any external input passed via expressions is validated or allow-listed before interpolation into LDAP filters. 5. DETECT: Review n8n workflow logs for anomalous LDAP filter patterns containing metacharacters (*, (, ), \, NUL). Alert on LDAP queries returning unusually large result sets. 6. AUDIT: Inventory all n8n workflows using the LDAP node and map which accept external input via webhooks, forms, or HTTP triggers.

What systems are affected by CVE-2026-33751?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation, enterprise identity integration, AI agent pipelines with external input.

What is the CVSS score for CVE-2026-33751?

CVE-2026-33751 has a CVSS v3.1 base score of 4.8 (MEDIUM). The EPSS exploitation probability is 0.24%.

What is the AI security impact?

Affected AI Architectures

agent frameworksworkflow automationenterprise identity integrationAI agent pipelines with external input

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.9.3
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. Prior to versions 1.123.27, 2.13.3, and 2.14.1, a flaw in the LDAP node's filter escape logic allowed LDAP metacharacters to pass through unescaped when user-controlled input was interpolated into LDAP search filters. In workflows where external user input is passed via expressions into the LDAP node's search parameters, an attacker could manipulate the constructed filter to retrieve unintended LDAP records or bypass authentication checks implemented in the workflow. Exploitation requires a specific workflow configuration. The LDAP node must be used with user-controlled input passed via expressions (e.g., from a form or webhook). The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, disable the LDAP node by adding `n8n-nodes-base.ldap` to the `NODES_EXCLUDE` environment variable, and/or avoid passing unvalidated external user input into LDAP node search parameters via expressions. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An adversary targets an organization using n8n to power an AI agent that authenticates users against Active Directory before granting access to sensitive workflows. The n8n instance exposes a webhook endpoint that accepts a username parameter, which is interpolated via an expression into an LDAP search filter: (&(objectClass=user)(sAMAccountName={{$json.username}})). The attacker submits username=*)(|(objectClass=* — injecting LDAP metacharacters that transform the filter into (&(objectClass=user)(sAMAccountName=*)(|(objectClass=*)) — effectively matching all LDAP objects and bypassing the intended user-specific lookup. Depending on workflow logic, this returns the first LDAP result (often an admin account), allowing authentication bypass. Alternatively, the attacker submits username=*)(memberOf=CN=Domain Admins,DC=corp,DC=local)(* to enumerate domain admin accounts, harvesting organizational structure without credentials.

Weaknesses (CWE)

CWE-90 — Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection'): The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Timeline

Published
March 25, 2026
Last Modified
March 27, 2026
First Seen
March 25, 2026

Related Vulnerabilities