Description
n8n is an open source workflow automation platform. Prior to versions 2.6.4 and 1.123.23, an authenticated user without permission to list external secrets could reference a secret by the external name in a credential and retrieve its plaintext value when saving the credential. This bypassed the `externalSecret:list` permission check and allowed access to secrets stored in connected vaults without admin or owner privileges. This issue requires the instance to have an external secrets vault configured. The attacker must know or be able to guess the name of a target secret. The issue has been fixed in n8n versions 1.123.23 and 2.6.4. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Restrict n8n access to fully trusted users only, and/or disable external secrets integration until the patch can be applied. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Published: 2026-03-25
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to external secret data
Action: Immediate Patch
AI Analysis

Impact

An authentication‑based bypass in n8n allows a user who does not have permissions to list external secrets to reference a secret by name while saving a credential, resulting in the secret’s plaintext being exposed. This issue bypasses the externalSecret:list check and grants secret disclosure even to users without admin or owner privileges. The weakness is an authorization bypass (CWE‑863) that directly compromises confidentiality of secrets stored in connected vaults.

Affected Systems

The flaw affects the open‑source workflow automation platform n8n from n8n‑io. Any installation running a version earlier than 2.6.4 or 1.123.23 that has external secrets integration enabled is vulnerable. Users must know or guess the external name of a target secret to exploit the bug.

Risk and Exploitability

The vulnerability carries a CVSS base score of 7.3, indicating high severity. EPSS data is not reported, and the issue is not listed in the CISA KEV catalog, but the attack is nevertheless feasible for authenticated users who can guess a secret name. The impact is substantial, as exposed secrets could leak privileged credentials or other sensitive data, potentially compromising connected services. The attack vector is through the credential‑saving API, requiring only valid authentication and knowledge of a secret’s external identifier.

Generated by OpenCVE AI on March 25, 2026 at 19:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade n8n to version 1.123.23 or later (including 2.6.4).
  • Restrict n8n access to fully trusted users only.
  • Disable external secrets integration until the patch can be applied.

Generated by OpenCVE AI on March 25, 2026 at 19:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fxcw-h3qj-8m8p n8n Has External Secrets Authorization Bypass in Credential Saving
History

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared N8n
N8n n8n
Vendors & Products N8n
N8n n8n

Wed, 25 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. Prior to versions 2.6.4 and 1.123.23, an authenticated user without permission to list external secrets could reference a secret by the external name in a credential and retrieve its plaintext value when saving the credential. This bypassed the `externalSecret:list` permission check and allowed access to secrets stored in connected vaults without admin or owner privileges. This issue requires the instance to have an external secrets vault configured. The attacker must know or be able to guess the name of a target secret. The issue has been fixed in n8n versions 1.123.23 and 2.6.4. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Restrict n8n access to fully trusted users only, and/or disable external secrets integration until the patch can be applied. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Title n8n Has External Secrets Authorization Bypass in Credential Saving
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

N8n N8n
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-28T01:32:07.841Z

Reserved: 2026-03-23T17:34:57.559Z

Link: CVE-2026-33722

cve-icon Vulnrichment

Updated: 2026-03-28T01:31:59.973Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T19:16:51.153

Modified: 2026-03-27T19:34:18.007

Link: CVE-2026-33722

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T11:34:15Z

Weaknesses