CVE-2026-59207
Undergoing Analysis Undergoing Analysis - In Progress

AI Agent MCP Tool HTTP Request Domain Bypass in n8n

Vulnerability report for CVE-2026-59207, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

n8n is an open source workflow automation platform. Prior to 2.27.4 and 2.28.1, the AI Agents feature did not enforce the Allowed HTTP Request Domains restriction configured on credentials when an MCP tool was pointed at an arbitrary URL, allowing a member-level user with use-only access to a shared credential to send its secret to an external server they control. This issue is fixed in versions 2.27.4 and 2.28.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
n8n n8n 2.28.0
n8n n8n to 2.27.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows a member-level user to bypass domain restrictions on shared credentials and send secret information to an external server they control. This poses a significant risk to the confidentiality of sensitive data.

Such unauthorized disclosure of sensitive information could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access and transmission of personal and protected health information.

Organizations using affected versions of n8n with the AI Agents feature enabled and shared credentials with domain restrictions may face increased risk of data breaches, potentially resulting in regulatory penalties and reputational damage.

Executive Summary

CVE-2026-59207 is a vulnerability in the n8n workflow automation platform affecting versions prior to 2.27.4 and 2.28.1. It involves the AI Agents feature bypassing the configured Allowed HTTP Request Domains restriction on credentials. This means that a member-level user with use-only access to a shared credential could exploit this flaw by pointing an MCP tool at an arbitrary URL, allowing them to send the credential's secret to an external server they control.

The vulnerability only affects instances where the AI Agents module is enabled and at least one credential with domain restrictions is shared with a member-level user.

Impact Analysis

This vulnerability poses a significant risk to the confidentiality of your credentials because an unauthorized member-level user could exfiltrate secret information to an external server. While it does not fully impact system availability, it also presents a minor risk to data integrity.

  • Unauthorized disclosure of credential secrets to external servers.
  • Potential compromise of workflows that rely on those credentials.
  • Risk is limited to environments where AI Agents are enabled and credentials with domain restrictions are shared with member-level users.
Detection Guidance

Detection of this vulnerability involves checking if the AI Agents module is enabled in your n8n instance and if any member-level users with use-only access have shared credentials with domain restrictions. Monitoring network traffic for unusual outbound requests to external servers from the AI Agents feature could indicate exploitation attempts.

Since the vulnerability allows sending credential secrets to arbitrary external URLs, you can inspect logs or use network monitoring tools to detect unexpected HTTP requests originating from n8n to unknown or unauthorized domains.

Specific commands are not provided in the resources, but general approaches include:

  • Check environment variables to see if AI Agents module is enabled: `echo $N8N_ENABLED_MODULES`
  • Review n8n logs for suspicious HTTP requests or errors related to AI Agents.
  • Use network monitoring tools like `tcpdump` or `wireshark` to capture outbound HTTP traffic from the n8n server and filter for unusual destinations.
Mitigation Strategies

Immediate mitigation steps include upgrading n8n to version 2.28.1 or later, where this vulnerability is fixed.

If upgrading immediately is not possible, temporary mitigations include:

  • Disable the AI Agents module by removing it from the N8N_ENABLED_MODULES environment variable.
  • Restrict credential sharing to only trusted users to prevent misuse by member-level users.
  • Audit all shared credentials that have domain restrictions to ensure they are not exposed or misused.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59207. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart