GHSA-rm2v-h48j-895m: n8n: SecurityScorecard Node Leaks API Token to User-Controlled Host
Summary
An authenticated user in n8n (a workflow automation platform) could trick the SecurityScorecard node (a component that connects to SecurityScorecard's API) into sending an API token (a credential for accessing the service) to an attacker's server by configuring it to download reports from a malicious URL, bypassing security restrictions meant to limit where credentials can be sent. This allows the attacker to steal the API token and use it themselves.
Solution / Mitigation
The issue has been fixed in n8n versions 1.123.55, 2.25.7, and 2.26.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators can temporarily: limit workflow creation and editing permissions to fully trusted users only, or disable the SecurityScorecard node by adding `n8n-nodes-base.securityScorecard` to the `NODES_EXCLUDE` environment variable. The source notes these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Vulnerability Details
EPSS: 0.0%
Yes
June 16, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
CVE-2025-54868: LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an exposed testing endpoint
Original source: https://github.com/advisories/GHSA-rm2v-h48j-895m
First tracked: June 16, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 85%