Improper Restriction of Communication Channel to Intended Endpoints Affecting n8n package, versions <2.27.4>=2.28.0 <2.28.1


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.26% (18th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-N8N-17954286
  • published12 Jul 2026
  • disclosed9 Jul 2026
  • credittrap-bytes

Introduced: 9 Jul 2026

NewCVE-2026-59207  (opens in a new tab)
CWE-923  (opens in a new tab)

How to fix?

Upgrade n8n to version 2.27.4, 2.28.1 or higher.

Overview

n8n is a n8n Workflow Automation Tool

Affected versions of this package are vulnerable to Improper Restriction of Communication Channel to Intended Endpoints via the AI Agents MCP verifier in packages/cli/src/modules/agents/builder/agents-builder-tools.service.ts. An attacker can send the agent to an arbitrary MCP server URL and cause a shared credential’s secret to be sent to a server they control by running an AI Agent with a member-shared credential that has domain restrictions. This affects deployments with the AI Agents module enabled and credentials shared with member-level users. The vulnerable MCP request path did not enforce the credential’s allowed-domain restriction, so the agent could make outbound requests that exposed the credential outside the intended set of domains.

Notes

  • The advisory’s affected deployments are narrower than “AI Agents enabled” alone: it only applies when N8N_ENABLED_MODULES=agents is set and a credential with an Allowed HTTP Request Domains restriction has been shared to a member-level user.
  • The credential exfiltration path is through the AI Agents MCP connector’s verifier, so the issue sits in the outbound MCP tool-check flow rather than general agent execution or other credential-sharing paths.

Workarounds

  • Disable the AI Agents module by removing agents from N8N_ENABLED_MODULES; this prevents member users from using the MCP connector path that can send a shared credential secret to an arbitrary server.
  • Restrict credential sharing to fully trusted users only; this limits exposure of domain-restricted credentials to users who could misuse the MCP tool to exfiltrate secrets.
  • Audit credentials with domain restrictions for unexpected sharing relationships; this helps identify and remove shares that could allow the bypass to be exercised.

CVSS Base Scores

version 4.0
version 3.1