CVE-2026-56348: n8n SSRF bypasses allowlist,

CISO Take

CVE-2026-56348 is a server-side request forgery (SSRF) flaw in n8n's dynamic node parameters endpoint that allows any authenticated user to cause the automation server to issue HTTP requests—complete with stored service credentials—to arbitrary external hosts, silently defeating the Allowed HTTP Request Domains security control. In AI automation environments, n8n typically holds API keys for LLM providers, cloud services, and databases as workflow credentials, meaning a single exploited low-privilege account can cascade into full-stack credential theft across every service integrated into the platform. The CVSS score of 9.1 with Scope:Changed confirms the disproportionate blast radius: one account compromise can expose every service credential wired into n8n, and with 109 prior CVEs in the package and an OpenSSF score of only 6.6/10, this is not an isolated lapse. Upgrade to n8n 2.20.0 immediately; as a short-term control, enforce outbound HTTP/HTTPS restrictions at the network layer and rotate all service credentials stored in n8n, particularly LLM API keys.

Sources: NVD GitHub Advisory (GHSA-3875-8gcx-7v46) VulnCheck Advisory ATLAS OpenSSF

What is the risk?

Critical risk. CVSS 9.1 with low attack complexity, low privileges required, no user interaction, and a network-accessible attack vector makes this broadly exploitable by any authenticated n8n user. The Scope:Changed metric is the most significant indicator: exploitation impact extends well beyond the n8n application to every credential-bearing integration. Organizations running n8n as an AI agent orchestration hub—connecting LLM APIs, vector databases, and cloud infrastructure—face simultaneous credential exposure across all integrated services. Multi-tenant n8n deployments or instances with shared access are at highest risk since any user account, including trial or demo accounts, is a valid attack entry point. The domain allowlist bypass is particularly concerning because it invalidates a security control operators may have implemented specifically to mitigate SSRF, creating a false sense of protection.

How does the attack unfold?

Initial Access

Attacker authenticates to the n8n instance with a low-privilege account obtained via credential stuffing, phishing a workflow developer, or abusing a shared or trial account.

AML.T0012

SSRF Exploitation

Attacker sends a crafted POST to /rest/dynamic-node-parameters/options with an attacker-controlled host URL, causing n8n to issue an outbound HTTP request that bypasses the Allowed HTTP Request Domains allowlist.

AML.T0049

Credential Capture

n8n server issues an authenticated HTTP request to the attacker's host, transmitting stored service credentials—LLM API keys, OAuth tokens, database passwords—in request headers or body.

AML.T0083

Impact: Lateral Movement via Exfiltrated Credentials

Attacker uses captured API keys and tokens to access connected LLM providers, cloud services, and databases, pivoting across the victim's entire AI infrastructure.

AML.T0025

Initial Access

Attacker authenticates to the n8n instance with a low-privilege account obtained via credential stuffing, phishing a workflow developer, or abusing a shared or trial account.

AML.T0012

SSRF Exploitation

Attacker sends a crafted POST to /rest/dynamic-node-parameters/options with an attacker-controlled host URL, causing n8n to issue an outbound HTTP request that bypasses the Allowed HTTP Request Domains allowlist.

AML.T0049

Credential Capture

n8n server issues an authenticated HTTP request to the attacker's host, transmitting stored service credentials—LLM API keys, OAuth tokens, database passwords—in request headers or body.

AML.T0083

Impact: Lateral Movement via Exfiltrated Credentials

Attacker uses captured API keys and tokens to access connected LLM providers, cloud services, and databases, pivoting across the victim's entire AI infrastructure.

AML.T0025

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch
193.4K OpenSSF 6.6 Pushed 2d ago 55% patched ~2d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1

9.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Changed

C High

I Low

A Low

What should I do?

5 steps

Patch: Upgrade n8n to version 2.20.0 or later immediately—this is the only complete remediation.
Network-layer controls: If patching cannot be immediate, block outbound HTTP/HTTPS from the n8n host to untrusted external destinations at the firewall or WAF layer; do not rely on n8n's application-level allowlist as it is bypassed by this CVE.
Credential rotation: Rotate all service credentials stored in n8n—LLM API keys (OpenAI, Anthropic, etc.), cloud service accounts, database passwords, and OAuth tokens—as a precautionary measure, particularly if the n8n instance was internet-accessible.
Detection: Query n8n application logs and network egress telemetry for POST requests to /rest/dynamic-node-parameters/options with external host parameters, and for outbound HTTP connections to non-allowlisted destinations, spanning the period since the last n8n update.
Access review: Audit authenticated n8n users and remove any unnecessary, shared, or trial accounts that could serve as attack entry points.

How is it classified?

Auth Bypass Data Extraction Data Leakage Agent Framework AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0083 - Credentials from AI Agent Configuration AML.T0106 - Exploitation for Credential Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.9.3 - AI system security controls

NIST AI RMF

MANAGE 2.2 - Mechanisms exist to sustain AI risk management for third-party entities

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-56348?

CVE-2026-56348 is a server-side request forgery (SSRF) flaw in n8n's dynamic node parameters endpoint that allows any authenticated user to cause the automation server to issue HTTP requests—complete with stored service credentials—to arbitrary external hosts, silently defeating the Allowed HTTP Request Domains security control. In AI automation environments, n8n typically holds API keys for LLM providers, cloud services, and databases as workflow credentials, meaning a single exploited low-privilege account can cascade into full-stack credential theft across every service integrated into the platform. The CVSS score of 9.1 with Scope:Changed confirms the disproportionate blast radius: one account compromise can expose every service credential wired into n8n, and with 109 prior CVEs in the package and an OpenSSF score of only 6.6/10, this is not an isolated lapse. Upgrade to n8n 2.20.0 immediately; as a short-term control, enforce outbound HTTP/HTTPS restrictions at the network layer and rotate all service credentials stored in n8n, particularly LLM API keys.

Is CVE-2026-56348 actively exploited?

No confirmed active exploitation of CVE-2026-56348 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-56348?

1. Patch: Upgrade n8n to version 2.20.0 or later immediately—this is the only complete remediation. 2. Network-layer controls: If patching cannot be immediate, block outbound HTTP/HTTPS from the n8n host to untrusted external destinations at the firewall or WAF layer; do not rely on n8n's application-level allowlist as it is bypassed by this CVE. 3. Credential rotation: Rotate all service credentials stored in n8n—LLM API keys (OpenAI, Anthropic, etc.), cloud service accounts, database passwords, and OAuth tokens—as a precautionary measure, particularly if the n8n instance was internet-accessible. 4. Detection: Query n8n application logs and network egress telemetry for POST requests to /rest/dynamic-node-parameters/options with external host parameters, and for outbound HTTP connections to non-allowlisted destinations, spanning the period since the last n8n update. 5. Access review: Audit authenticated n8n users and remove any unnecessary, shared, or trial accounts that could serve as attack entry points.

What systems are affected by CVE-2026-56348?

This vulnerability affects the following AI/ML architecture patterns: AI agent orchestration platforms, Multi-service LLM automation workflows, RAG data ingestion pipelines using workflow automation, AI model evaluation and CI/CD pipelines, Multi-tenant AI workflow platforms.

What is the CVSS score for CVE-2026-56348?

CVE-2026-56348 has a CVSS v3.1 base score of 9.1 (CRITICAL).

What is the AI security impact?

Affected AI Architectures

AI agent orchestration platformsMulti-service LLM automation workflowsRAG data ingestion pipelines using workflow automationAI model evaluation and CI/CD pipelinesMulti-tenant AI workflow platforms

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0083 Credentials from AI Agent Configuration

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.9.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

n8n before 2.20.0 contains a credential exfiltration vulnerability in the POST /rest/dynamic-node-parameters/options endpoint that allows authenticated users to bypass Allowed HTTP Request Domains restrictions. Attackers with credential access can cause the n8n server to issue HTTP requests with credentials to unauthorized hosts, exfiltrating sensitive authentication data.

Exploitation Scenario

An attacker who has obtained low-privilege authenticated access to an organization's n8n instance—via credential stuffing against a weak password, phishing a workflow developer, or abusing a shared demo account—sends a crafted POST request to /rest/dynamic-node-parameters/options. The request body contains a URL pointing to an attacker-controlled server (e.g., a VPS running a simple HTTP listener). n8n processes the dynamic node parameter lookup and issues an HTTP request to the attacker's host, including the stored service credentials associated with the relevant workflow node in the request headers or body. The attacker's listener captures the Authorization header containing, for example, an OpenAI API key embedded in an AI summarization workflow. With the stolen key, the attacker runs unlimited LLM inference at the victim's expense, exfiltrates proprietary system prompts and workflow logic, or pivots laterally to other systems connected to the same n8n instance. The bypass of the Allowed HTTP Request Domains allowlist means this succeeds even against hardened n8n deployments where administrators believed SSRF was mitigated.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary CWE-918 Server-Side Request Forgery (SSRF)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.