Executive Summary

CVE-2026-54304 is a vulnerability in the n8n workflow automation platform versions prior to 1.123.55, 2.25.7, and 2.26.1. It allows an authenticated user who has permission to create or modify workflows and access to a SecurityScorecard credential with limited allowed domains to exploit the SecurityScorecard node.

The attacker can configure the SecurityScorecard node's report download operation to send requests to an attacker-controlled URL. When this happens, the SecurityScorecard API token is attached to the outbound request and sent to the attacker’s host, bypassing the credential's domain restrictions and leading to credential exfiltration.

This vulnerability has been fixed in versions 1.123.55, 2.25.7, and 2.26.1 of n8n.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the unauthorized exfiltration of SecurityScorecard API tokens by an attacker. Since the API token is sent to an attacker-controlled host, it can be used to gain unauthorized access to sensitive data or services associated with that token.

The impact is significant on confidentiality, as sensitive credentials are leaked, potentially allowing attackers to perform unauthorized actions or gather sensitive information.

The vulnerability has a high severity score (CVSS v4.0 Base Score 7.1), indicating a serious risk if exploited.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves monitoring for unusual outbound requests from the SecurityScorecard node to attacker-controlled URLs, especially those that include the SecurityScorecard API token.

Since the vulnerability allows an authenticated user with workflow creation or modification permissions to configure the node to send requests to arbitrary URLs, network monitoring tools can be used to detect unexpected outbound traffic containing sensitive tokens.

Suggested commands or approaches include:

• Use network packet capture tools like tcpdump or Wireshark to filter outbound HTTP requests from the n8n server and inspect for requests to unknown or suspicious domains.
• Example tcpdump command: tcpdump -i <interface> -A 'tcp port 80 or tcp port 443' and host not <trusted_domains>
• Search logs or workflow configurations for SecurityScorecard node usage targeting external URLs that are not part of the allowed domains.
• Audit user permissions to identify users with workflow creation or modification rights who might have exploited this vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Upgrade n8n to version 1.123.55, 2.25.7, or 2.26.1 or later, where the vulnerability is fixed.
• Restrict workflow creation and modification permissions to trusted users only to reduce the risk of exploitation.
• Temporarily disable the SecurityScorecard node by setting the NODES_EXCLUDE environment variable to exclude it from use.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an authenticated user to exfiltrate the SecurityScorecard API token by sending it to an attacker-controlled URL, bypassing credential domain restrictions. This unauthorized disclosure of sensitive credentials could lead to data breaches or unauthorized access to systems.

Such unauthorized data exposure and potential misuse of credentials may impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive information and preventing unauthorized access.

Mitigations such as restricting workflow creation permissions to trusted users or disabling the vulnerable node can help reduce the risk and support compliance efforts.

Useful 0 Not Useful 0