AI Threat Alert
CVE-2026-54304: n8n: credential exfiltration via SecurityScorecard SSRF node
GHSA-rm2v-h48j-895m HIGHn8n's SecurityScorecard node contains a server-side request forgery flaw that lets any authenticated user with workflow creation rights redirect API token-bearing requests to an attacker-controlled server, silently bypassing the credential's configured domain allowlist. At CVSS 7.7 with Scope:Changed, the blast radius extends well beyond n8n — a stolen SecurityScorecard token exposes your entire third-party vendor risk posture, breach intelligence, and supply chain security data. The 89th-percentile EPSS ranking signals meaningful exploitation likelihood despite no current KEV listing, and n8n's history of 105 CVEs marks it as a persistently targeted attack surface. Patch immediately to n8n 1.123.55, 2.25.7, or 2.26.1; if you cannot, restrict workflow editing to fully trusted users and exclude the node via the NODES_EXCLUDE environment variable, then rotate any exposed SecurityScorecard API tokens.
What is the risk?
Medium-High. The attack requires only a low-privilege authenticated n8n account and zero user interaction, making it realistic for insider threats, phished workflow editors, or contractors with scoped access. The CVSS Scope:Changed component amplifies the impact beyond n8n itself — a stolen SecurityScorecard token is a secondary key to third-party risk intelligence that could inform targeted supply chain attacks. No public exploit exists and the EPSS absolute probability is low (0.00034), but the 89th-percentile ranking combined with n8n's persistent CVE history suggests sustained adversary interest in the platform. The workarounds are partial at best and introduce operational friction, making patching the only real remediation path.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| n8n | npm | < 1.123.55 | 1.123.55 |
Do you use n8n? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
Upgrade n8n immediately: v1.x to 1.123.55, v2.x to 2.25.7 or 2.26.1 or any later release — the patch enforces URL validation against credential-configured domain restrictions before executing the outbound request.
-
If patching is blocked: restrict workflow creation and editing permissions exclusively to fully trusted administrators via n8n's role-based access controls — treat workflow editor as a privileged role, not a standard user permission.
-
Disable the SecurityScorecard node by adding 'n8n-nodes-base.securityScorecard' to the NODES_EXCLUDE environment variable.
-
Audit all existing SecurityScorecard workflows for unexpected or external URLs in the report download operation configuration.
-
Rotate SecurityScorecard API tokens for any n8n instance accessible to non-admin users or external contractors.
-
Review n8n audit logs for unusual SecurityScorecard node executions or outbound requests to non-SecurityScorecard domains.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-54304?
n8n's SecurityScorecard node contains a server-side request forgery flaw that lets any authenticated user with workflow creation rights redirect API token-bearing requests to an attacker-controlled server, silently bypassing the credential's configured domain allowlist. At CVSS 7.7 with Scope:Changed, the blast radius extends well beyond n8n — a stolen SecurityScorecard token exposes your entire third-party vendor risk posture, breach intelligence, and supply chain security data. The 89th-percentile EPSS ranking signals meaningful exploitation likelihood despite no current KEV listing, and n8n's history of 105 CVEs marks it as a persistently targeted attack surface. Patch immediately to n8n 1.123.55, 2.25.7, or 2.26.1; if you cannot, restrict workflow editing to fully trusted users and exclude the node via the NODES_EXCLUDE environment variable, then rotate any exposed SecurityScorecard API tokens.
Is CVE-2026-54304 actively exploited?
No confirmed active exploitation of CVE-2026-54304 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-54304?
1. Upgrade n8n immediately: v1.x to 1.123.55, v2.x to 2.25.7 or 2.26.1 or any later release — the patch enforces URL validation against credential-configured domain restrictions before executing the outbound request. 2. If patching is blocked: restrict workflow creation and editing permissions exclusively to fully trusted administrators via n8n's role-based access controls — treat workflow editor as a privileged role, not a standard user permission. 3. Disable the SecurityScorecard node by adding 'n8n-nodes-base.securityScorecard' to the NODES_EXCLUDE environment variable. 4. Audit all existing SecurityScorecard workflows for unexpected or external URLs in the report download operation configuration. 5. Rotate SecurityScorecard API tokens for any n8n instance accessible to non-admin users or external contractors. 6. Review n8n audit logs for unusual SecurityScorecard node executions or outbound requests to non-SecurityScorecard domains.
What systems are affected by CVE-2026-54304?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation, AI agent pipelines, API orchestration, security operations automation.
What is the CVSS score for CVE-2026-54304?
CVE-2026-54304 has a CVSS v3.1 base score of 7.7 (HIGH). The EPSS exploitation probability is 0.03%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0081 Modify AI Agent Configuration AML.T0083 Credentials from AI Agent Configuration AML.T0086 Exfiltration via AI Agent Tool Invocation AML.T0098 AI Agent Tool Credential Harvesting Compliance Controls Affected
What are the technical details?
Original Advisory
## Impact An authenticated user with permission to create or modify workflows and access to a SecurityScorecard credential with limited allowed domains could configure the SecurityScorecard node's report download operation to target an attacker-controlled URL. The node attached the SecurityScorecard API token to the outbound request, causing the credential to be sent to the attacker-controlled host bypassing credential configured limitations and exfiltrating. ## Patches The issue has been fixed in n8n versions 1.123.55, 2.25.7, and 2.26.1. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Disable the SecurityScorecard node by adding `n8n-nodes-base.securityScorecard` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Exploitation Scenario
An attacker with low-privilege n8n access — an insider threat, a contractor, or a user whose account was phished — opens the workflow editor and creates or modifies a workflow using the SecurityScorecard 'Download Report' node. Instead of a legitimate SecurityScorecard API endpoint, they configure the report target URL to their own HTTP listener (e.g., a Burp Collaborator instance or ngrok tunnel). When the workflow executes on its next scheduled trigger or manual run, n8n issues an HTTP request to the attacker's server with the SecurityScorecard API token attached in the request headers, completely bypassing the credential's domain allowlist. The attacker extracts the token from their server logs and authenticates directly to SecurityScorecard's API, enumerating the victim's full third-party vendor risk intelligence — security scores, breach history, and supply chain exposure maps — without triggering any n8n-side alerts or leaving traces in n8n logs beyond a normal workflow execution.
Weaknesses (CWE)
CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
- [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N References
Timeline
Related Vulnerabilities
CVE-2026-33663 10.0 n8n: member role steals plaintext HTTP credentials
Same package: n8n CVE-2026-54309 10.0 n8n: MCP browser auth bypass allows full browser takeover
Same package: n8n CVE-2026-21858 10.0 n8n: Input Validation flaw enables exploitation
Same package: n8n CVE-2026-33660 10.0 TensorFlow: type confusion NPD in tensor conversion
Same package: n8n CVE-2026-27577 9.9 n8n: Code Injection enables RCE
Same package: n8n