GHSA-3875-8gcx-7v46: n8n: Credential exfiltration via Allowed HTTP Request Domains Bypass

May 19, 2026 (updated June 22, 2026)

The POST /rest/dynamic-node-parameters/options endpoint allowed any authenticated user to cause the n8n server to issue HTTP requests including credentials bypassing the intended restrictions on which hosts could be contacted for that credential (Allowed HTTP Request Domains). The user needed to be authenticated and have access to the credential.

References

github.com/advisories/GHSA-3875-8gcx-7v46
github.com/n8n-io/n8n/security/advisories/GHSA-3875-8gcx-7v46
nvd.nist.gov/vuln/detail/CVE-2026-56348

Code Behaviors & Features

Detect and mitigate GHSA-3875-8gcx-7v46 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →