CVE-2026-33751 Overview
CVE-2026-33751 is an LDAP Injection vulnerability affecting n8n, an open source workflow automation platform. A flaw in the LDAP node's filter escape logic allows LDAP metacharacters to pass through unescaped when user-controlled input is interpolated into LDAP search filters. In workflows where external user input is passed via expressions into the LDAP node's search parameters, an attacker could manipulate the constructed filter to retrieve unintended LDAP records or bypass authentication checks implemented in the workflow.
Critical Impact
Attackers can manipulate LDAP search filters to retrieve unauthorized directory records or bypass authentication mechanisms in affected n8n workflows.
Affected Products
- n8n versions prior to 1.123.27
- n8n versions prior to 2.13.3
- n8n versions prior to 2.14.1
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-33751 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33751
Vulnerability Analysis
This vulnerability (CWE-90: LDAP Injection) arises from improper neutralization of special elements used in LDAP queries. The n8n workflow automation platform's LDAP node contains inadequate filter escape logic that fails to properly sanitize LDAP metacharacters when processing user-controlled input through expressions.
When external user input—such as data from forms or webhooks—is passed into LDAP node search parameters via n8n expressions, the application does not adequately escape special LDAP filter characters. This allows attackers to inject malicious LDAP query fragments that alter the intended search logic.
Successful exploitation requires a specific workflow configuration where the LDAP node is used with user-controlled input passed via expressions. The impact includes the ability to retrieve unintended LDAP records from the directory service or bypass authentication checks that rely on LDAP queries within the workflow.
Root Cause
The root cause is insufficient input sanitization in the LDAP node's filter escape logic. LDAP filters use special metacharacters such as *, (, ), \, and null bytes that have syntactic meaning in LDAP search expressions. The vulnerable code path fails to properly escape these characters before interpolating user input into the filter string, enabling injection attacks.
Attack Vector
The attack is network-accessible and does not require authentication. An attacker can exploit this vulnerability by submitting crafted input through n8n workflow entry points such as webhooks or forms. The malicious input contains LDAP metacharacters designed to modify the filter logic. When this input is processed by the LDAP node without proper escaping, the attacker's injected filter syntax becomes part of the executed LDAP query.
For example, an attacker could inject filter syntax to change a query intended to find a specific user into one that returns all users, or manipulate boolean logic to bypass authentication filters. The vulnerability requires the workflow to be specifically configured to pass external input into LDAP search parameters. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-33751
Indicators of Compromise
- Unusual LDAP query patterns containing unexpected metacharacters such as *, )(, or \00
- LDAP authentication bypass attempts where users gain access without proper credentials
- Unexpected data retrieval from LDAP directories showing access to records outside normal scope
- Workflow execution logs showing malformed or suspiciously complex LDAP filter strings
Detection Strategies
- Monitor n8n workflow logs for LDAP node executions with unusual filter patterns
- Implement LDAP server-side logging to detect queries with injection patterns or anomalous filter syntax
- Review n8n workflows that use the LDAP node with expressions referencing external input sources
- Deploy application-layer monitoring to detect LDAP injection payloads in HTTP requests to n8n webhooks
Monitoring Recommendations
- Enable detailed logging on LDAP directory servers to capture all search queries
- Configure alerts for LDAP queries returning unexpectedly large result sets
- Monitor n8n workflow execution metrics for LDAP nodes processing webhook or form data
- Implement network traffic analysis to identify LDAP injection attempt signatures
How to Mitigate CVE-2026-33751
Immediate Actions Required
- Upgrade n8n to version 1.123.27, 2.13.3, 2.14.1, or later immediately
- Audit existing n8n workflows to identify any LDAP nodes receiving user-controlled input via expressions
- Restrict workflow creation and editing permissions to fully trusted users only as an interim measure
- Review LDAP directory access logs for signs of exploitation prior to patching
Patch Information
The vulnerability has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. The patch addresses the filter escape logic in the LDAP node to properly sanitize LDAP metacharacters before query construction. For additional details, see the GitHub Security Advisory.
Workarounds
- Disable the LDAP node by adding n8n-nodes-base.ldap to the NODES_EXCLUDE environment variable
- Avoid passing unvalidated external user input into LDAP node search parameters via expressions
- Limit workflow creation and editing permissions to fully trusted users only
- Implement input validation at the workflow level before passing data to LDAP nodes
# Configuration example - Disable LDAP node via environment variable
export NODES_EXCLUDE="n8n-nodes-base.ldap"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
