Skip to main content

n8n EUVDEUVD-2026-27093

| CVE-2026-42226 HIGH
Missing Authorization (CWE-862)
2026-04-29 https://github.com/n8n-io/n8n GHSA-r4v6-9fqc-w5jr
7.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Patch available
May 04, 2026 - 20:01 EUVD
Re-analysis Queued
May 04, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
May 04, 2026 - 19:22 NVD
8.5 (HIGH) 7.1 (HIGH)
Source Code Evidence Fetched
Apr 29, 2026 - 22:01 vuln.today
Analysis Generated
Apr 29, 2026 - 22:01 vuln.today
Analysis Generated
Apr 29, 2026 - 21:30 vuln.today
CVE Published
Apr 29, 2026 - 21:22 nvd
HIGH 8.5

DescriptionGitHub Advisory

Impact

The dynamic-node-parameters endpoints did not verify whether the authenticated caller was authorized to use a supplied credential reference. An authenticated user with access to a shared workflow could supply a foreign credential ID in the request body, causing the backend to decrypt and use that credential in a helper execution path where the caller also controls the destination URL. This allowed the caller to force the backend to authenticate against attacker-controlled infrastructure using a credential belonging to another user, effectively exfiltrating a reusable API key.

The issue is not limited to any single node type; any node that resolves credentials dynamically through these endpoints may be affected.

Patches

The issue has been fixed in n8n version 2.18.0. Users should upgrade to this version or later to remediate the vulnerability.

Workarounds

If upgrading is not immediately possible, administrators should consider the following temporary mitigations:

  • Restrict n8n access to fully trusted users only.
  • Avoid sharing workflows with users who should not have access to the credentials those workflows reference.

These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

AnalysisAI

Authenticated users with shared workflow access in n8n can exfiltrate other users' API credentials by injecting foreign credential IDs into dynamic-node-parameters endpoint requests. The vulnerability forces the n8n backend to decrypt and replay stolen credentials against attacker-controlled URLs, enabling credential theft across workflow collaborators. Affects npm package n8n versions <1.123.33 and 2.17.0-2.17.4, with vendor-confirmed patches available in 1.123.33 and 2.17.5. No public exploit identified at time of analysis, though CVSS 8.5 with scope change (S:C) reflects the multi-tenant credential boundary violation.

Technical ContextAI

This vulnerability exists in n8n's workflow automation platform, specifically in the dynamic-node-parameters API endpoints responsible for runtime credential resolution. The underlying flaw is CWE-862 (Missing Authorization), where the API endpoints perform credential decryption and usage without validating whether the authenticated caller is authorized to access the referenced credential object. The npm package n8n implements a multi-user credential store where users can share workflows but maintain separate credential ownership. The vulnerable code path allows a low-privileged authenticated user (PR:L) to supply an arbitrary credential ID in the request body to endpoints that resolve node parameters dynamically. Because the caller also controls the destination URL parameter in these helper execution paths, they can direct the backend to authenticate against attacker infrastructure using the decrypted credential material, effectively turning the n8n server into a credential replay proxy. The scope change (S:C) in the CVSS vector indicates the vulnerability crosses trust boundaries between user credential stores.

RemediationAI

Upgrade to n8n version 1.123.33 if running 1.x releases or to n8n version 2.17.5 (or 2.18.0) if running 2.17.x releases per vendor advisory GHSA-r4v6-9fqc-w5jr at https://github.com/n8n-io/n8n/security/advisories/GHSA-r4v6-9fqc-w5jr. The patches implement proper authorization checks in the dynamic-node-parameters endpoints to validate credential access permissions before decryption and usage. If immediate patching is not feasible, implement these temporary mitigations with noted limitations: restrict n8n instance access to only fully trusted users and disable workflow sharing features to prevent untrusted users from accessing shared workflows containing credential references. Note that these workarounds do not address the underlying authorization flaw and only reduce attack surface by limiting the attacker population-a malicious insider with legitimate access can still exploit the vulnerability. Audit credential usage logs if available to identify potential historical exploitation attempts where credential IDs were accessed by unauthorized workflow collaborators. The vendor explicitly states these mitigations are short-term only and do not fully remediate risk.

Share

EUVD-2026-27093 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy