CVE-2026-33751: n8n Vulnerable to LDAP Filter Injection in LDAP Node

March 26, 2026

A flaw in the LDAP node’s filter escape logic allowed LDAP metacharacters to pass through unescaped when user-controlled input was interpolated into LDAP search filters. In workflows where external user input is passed via expressions into the LDAP node’s search parameters, an attacker could manipulate the constructed filter to retrieve unintended LDAP records or bypass authentication checks implemented in the workflow.

Exploitation requires a specific workflow configuration:

The LDAP node must be used with user-controlled input passed via expressions (e.g., from a form or webhook).

References

github.com/advisories/GHSA-w83q-mcmx-mh42
github.com/n8n-io/n8n
github.com/n8n-io/n8n/security/advisories/GHSA-w83q-mcmx-mh42
nvd.nist.gov/vuln/detail/CVE-2026-33751

Code Behaviors & Features

Detect and mitigate CVE-2026-33751 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →