highCVE-2026-59207

n8n AI Agents Credential Domain Restriction Bypass Vulnerability

n8n is an open source workflow automation platform. Prior to 2.27.4 and 2.28.1, the AI Agents feature did not enforce the Allowed HTTP Request Domains restriction configured on credentials when an MCP tool was pointed at an arbitrary URL, allowing a member-level user with use-only access to a shared credential to send its secret to an external server they control. This issue is fixed in versions 2.27.4 and 2.28.1.

Productn8n
CVSS7.1
EPSSNot scored yet
UpdatedJuly 9, 2026

Quick answer

n8n should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Before 2.27.4
  • Before 2.28.1

Fixed versions

  • 2.27.4
  • 2.28.1

How to fix it

n8n AI Agents can bypass the allowed HTTP request domain restriction when an MCP tool is pointed at an arbitrary URL. Upgrade to n8n 2.27.4, 2.28.1, or a later fixed release and review workflows that use shared credentials with AI Agents or MCP tools. Prioritize deployments where lower-privilege users have use-only access to sensitive credentials.

  1. Inventory n8n workflows that use AI Agents, MCP tools, HTTP tools, or shared credentials.
  2. Upgrade affected n8n instances to 2.27.4, 2.28.1, or a later fixed release.
  3. Review Allowed HTTP Request Domains settings on credentials used by AI Agents and MCP tools.
  4. Disable or restrict MCP tool URLs and AI Agent workflow execution until patching is complete.
  5. Audit workflow runs, outbound requests, credential usage, and external domains for attempts to exfiltrate shared secrets.
  6. Rotate credentials exposed to AI Agent workflows if suspicious outbound calls are found.
  7. Limit workflow creation, credential sharing, and AI Agent execution permissions to trusted users.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm the running n8n version is fixed for CVE-2026-59207.
  • Validate AI Agent MCP tools cannot send restricted credentials to unapproved external domains.
  • Review execution logs and outbound network telemetry for suspicious MCP or HTTP destinations.
  • Test legitimate AI Agent workflows after the update and policy changes.
  • Run a Fixnx scan and confirm no public n8n administration exposure remains.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-59207?

n8n versions listed as affected should be reviewed: Before 2.27.4, Before 2.28.1.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.