n8n: SecurityScorecard Node Leaks API Token to User-Controlled Host

Vulnerability

The n8n SecurityScorecard node, used in versions before 1.123.55, 2.25.7, and 2.26.1, fails to validate the target URL for the report download operation. An authenticated user with permission to create or modify workflows and access to a SecurityScorecard credential configured with limited allowed domains can set the download URL to an attacker-controlled host [1][2]. The node then attaches the stored API token to that outbound request, bypassing the domain restrictions intended to limit where the credential can be used.

Exploitation

An attacker must have a valid n8n account with workflow creation or modification privileges and be able to use a SecurityScorecard credential (even one restricted to specific domains) [1][2]. The attacker creates or modifies a workflow that includes the SecurityScorecard node and configures the report download operation to point to a URL they control (e.g., https://attacker.example.com/malicious-endpoint). When the workflow executes (or on node save if the operation runs immediately), the n8n backend makes an HTTP request to the attacker-controlled URL, including the full API token in the request headers or body [1][2].

Impact

A successful attack results in the exfiltration of the SecurityScorecard API token to an external host controlled by the attacker [1][2]. The attacker can then use that token to access the SecurityScorecard API with the same permissions as the original credential, potentially accessing data outside the originally intended scope. The CVSS v3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N scores this as a high-severity vulnerability with high confidentiality impact [1].

Mitigation

The vulnerability is fixed in n8n versions 1.123.55, 2.25.7, and 2.26.1 [1][2]. Users should upgrade to one of these versions or later immediately. If upgrading is not possible, administrators should restrict workflow creation and editing permissions to fully trusted users only, and may temporarily disable the SecurityScorecard node by adding n8n-nodes-base.securityScorecard to the NODES_EXCLUDE environment variable [1][2]. Note that these workarounds do not fully eliminate the risk and are recommended only as short-term measures.