NVD Vulnerability Detail
Search Exploit, PoC
CVE-2026-54304
Summary

n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.1, an authenticated user with permission to create or modify workflows and access to a SecurityScorecard credential with limited allowed domains could configure the SecurityScorecard node's report download operation to target an attacker-controlled URL. The node attached the SecurityScorecard API token to the outbound request, causing the credential to be sent to the attacker-controlled host bypassing credential configured limitations and exfiltrating. This vulnerability is fixed in 1.123.55, 2.25.7, and 2.26.1.

Publication Date June 24, 2026, 2:17 a.m.
Registration Date June 27, 2026, 4:14 a.m.
Last Update June 26, 2026, 11:24 a.m.
CVSS3.1 : HIGH
スコア 7.7
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
攻撃元区分(AV) ネットワーク
攻撃条件の複雑さ(AC)
攻撃に必要な特権レベル(PR)
利用者の関与(UI) 不要
影響の想定範囲(S) 変更あり
機密性への影響(C)
完全性への影響(I) なし
可用性への影響(A) なし
Affected software configurations
Configuration1 or higher or less more than less than
cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:* 1.123.55
cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:* 2.0.0 2.25.7
cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:* 2.26.0 2.26.1
Related information, measures and tools
Common Vulnerabilities List