Auth bypass in N8n-io N8n

CVE-2026-33663

n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.27, an authenticated user with the `global:member` role could exploit chained authorization flaws in n8n's credential pipeline to steal plainte…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.000 (6.4th percentile) — read the EPSS interpretation.

Affected products

N8n-io N8n — versions < 1.123.27, >= 2.0.0-rc.0, < 2.13.3, = 2.14.0

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-m63j-689w-3j35 (x_refsource_CONFIRM)