Protection Mechanism Failure Affecting n8n-oci-entrypoint package, versions <2.27.4-r0


Severity

Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.26% (18th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-MINIMOSLATEST-N8NOCIENTRYPOINT-17941882
  • published11 Jul 2026
  • disclosed9 Jul 2026

Introduced: 9 Jul 2026

NewCVE-2026-59207  (opens in a new tab)
CWE-693  (opens in a new tab)

How to fix?

Upgrade Minimos:latest n8n-oci-entrypoint to version 2.27.4-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream n8n-oci-entrypoint package and not the n8n-oci-entrypoint package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

n8n is an open source workflow automation platform. Prior to 2.27.4 and 2.28.1, the AI Agents feature did not enforce the Allowed HTTP Request Domains restriction configured on credentials when an MCP tool was pointed at an arbitrary URL, allowing a member-level user with use-only access to a shared credential to send its secret to an external server they control. This issue is fixed in versions 2.27.4 and 2.28.1.