Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
Impact
An authenticated user with a valid API key scoped to variable:list could read variables from projects they are not a member of by supplying an arbitrary projectId query parameter to the public API variables endpoint. The handler queried the variables repository directly without enforcing project membership checks, bypassing the authorization-aware service layer used by the internal enterprise controller.
If variables were misused to store sensitive information such as credentials or tokens, they should be rotated immediately.
This issue only affects licensed enterprise or team deployments with multiple projects and the variables feature enabled.
Patches
The issue has been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users should upgrade to one of these versions or later to remediate the vulnerability.
Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Restrict n8n access and API key issuance to fully trusted users only.
- Audit existing project variables for sensitive values and rotate any secrets that may have been exposed.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
AnalysisAI
Insecure Direct Object Reference (IDOR) in n8n's public API variables endpoint allows authenticated users with variable:list API key scope to read project variables from any project regardless of membership by manipulating the projectId query parameter. The API handler bypassed project membership authorization checks present in the enterprise service layer, enabling cross-project secret disclosure. This affects only licensed enterprise or team deployments with multiple projects and variables feature enabled. Vendor-released patches: versions 1.123.32, 2.17.4, and 2.18.1.
Technical ContextAI
n8n is a low-code workflow automation platform with enterprise deployments supporting multi-project architectures and project-scoped variables feature. The vulnerability exists in the public API variables endpoint handler which directly queries the variables repository (likely a database abstraction layer) without invoking the authorization-aware service layer used by internal controllers. CWE-639 (Authorization Bypass Through User-Controlled Key) is the root cause - the API endpoint accepts an arbitrary projectId parameter from authenticated users without validating membership eligibility. The variables feature stores workflow configuration data and is often misused to persist credentials or API tokens. The affected npm package is n8n across multiple version branches (1.x, 2.x).
RemediationAI
Upgrade immediately to n8n version 1.123.32 (for 1.x branch), 2.17.4 (for 2.x stable), or 2.18.1 (for 2.18.x). If immediate upgrade is not feasible, apply these temporary mitigations with explicit trade-offs: (1) Restrict n8n instance access and API key issuance to fully trusted internal users only - this reduces attacker surface but may limit legitimate automation workflows requiring API access. (2) Audit all project variables across all projects for sensitive values (credentials, tokens, API keys) and immediately rotate any exposed secrets in downstream systems - this is essential regardless of patching timeline. (3) Review API key scopes and revoke variable:list permissions for any API keys not actively used for legitimate automation. (4) Enable audit logging for API variable access if available in your deployment and monitor for cross-project queries. These mitigations do not eliminate the IDOR vulnerability and must be followed by patching within 48-72 hours for enterprise deployments. Reference: https://github.com/n8n-io/n8n/security/advisories/GHSA-756q-gq9h-fp22
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27095
GHSA-756q-gq9h-fp22