Auth bypass in N8n-io N8n

CVE-2026-33722

n8n is an open source workflow automation platform. Prior to versions 2.6.4 and 1.123.23, an authenticated user without permission to list external secrets could reference a secret by the external name in a credential and retrieve its plai…

Vulnerability class: Broken Access Control

EPSS: 0.000 (4.5th percentile) — read the EPSS interpretation.

Affected products

N8n-io N8n — versions < 1.123.23, >= 2.0.0-rc.0, < 2.6.4

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-fxcw-h3qj-8m8p (x_refsource_CONFIRM)