n8n is an open‑source workflow automation platform that stores generic HTTP credentials—such as httpBasicAuth, httpHeaderAuth, and httpQueryAuth—encrypted on disk. Prior to the patch releases, an authenticated user possessing the global:member role could exploit two chained authorization gaps: a name‑based credential resolution path that ignores ownership or project boundaries and a bypass in the credential permission checker that skips generic HTTP credential types during pre‑execution validation. This chain allows the attacker to resolve the ID of another user’s credential, decrypt it at runtime, and use the plaintext secret to access external services without proper authorization. The result is the disclosure of sensitive credentials belonging to other users on the same instance, which can lead to account takeover or data exfiltration. The flaw is classified as CWE‑639, unauthorized use of privileged credentials.

The vulnerability is limited to the Community Edition of n8n. All releases prior to version 2.14.1, 2.13.3, and 1.123.27 are affected, as indicated by the provided CPE strings. The Enterprise Edition contains additional permission gates on workflow creation and execution that independently block this attack chain and is therefore not impacted.

The flaw carries a CVSS score of 8.5, indicating high severity, but an EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. It is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires an authenticated member‑role user on the same instance, after which any other user’s generic HTTP credentials can be retrieved. The attack surface is therefore confined to the preconditions of an authorized user; no external network vector is required. The potential impact is a confidentiality breach for all users on the affected instance.