Auth bypass in N8n

CVE-2026-59259

n8n before versions 1.123.61, 2.27.4, and 2.28.1 contains a permission bypass vulnerability in external secrets handling caused by a mismatch between the static validation check and the runtime expression engine. An authenticated user with…

Vulnerability class: IDOR (Insecure Direct Object Reference)

Affected products

  • N8n — versions 0, 1.123.61, 2.28.1

Weakness classification (CWE)

References