PT-2026-50170 · Npm · N8N

Published

2026-06-16

Updated

2026-06-16

CVE-2026-54304

CVSS v3.1

7.7

High

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Impact

An authenticated user with permission to create or modify workflows and access to a SecurityScorecard credential with limited allowed domains could configure the SecurityScorecard node's report download operation to target an attacker-controlled URL. The node attached the SecurityScorecard API token to the outbound request, causing the credential to be sent to the attacker-controlled host bypassing credential configured limitations and exfiltrating.

Patches

The issue has been fixed in n8n versions 1.123.55, 2.25.7, and 2.26.1. Users should upgrade to one of these versions or later to remediate the vulnerability.

Workarounds

If upgrading is not immediately possible, administrators should consider the following temporary mitigations:

Limit workflow creation and editing permissions to fully trusted users only.
Disable the SecurityScorecard node by adding n8n-nodes-base.securityScorecard to the NODES EXCLUDE environment variable.

These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2026-54304

GHSA-RM2V-H48J-895M

Affected Products

N8N

PT-2026-50170 · Npm · N8N

CVE-2026-54304

Impact

Patches

Workarounds

Weakness Enumeration

Related Identifiers

Affected Products

References · 3