Description
n8n is an open source workflow automation platform. Prior to versions 2.6.4 and 1.123.23, an authenticated user without permission to list external secrets could reference a secret by the external name in a credential and retrieve its plaintext value when saving the credential. This bypassed the `externalSecret:list` permission check and allowed access to secrets stored in connected vaults without admin or owner privileges. This issue requires the instance to have an external secrets vault configured. The attacker must know or be able to guess the name of a target secret. The issue has been fixed in n8n versions 1.123.23 and 2.6.4. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Restrict n8n access to fully trusted users only, and/or disable external secrets integration until the patch can be applied. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Published: 2026-03-25
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Secret Disclosure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an authenticated user who does not have permission to list external secrets to read the plain text value of a secret when a credential is saved in n8n. By referencing a secret through its external name, the system bypasses the externalSecret:list permission check, exposing secrets stored in connected vaults that would normally require admin or owner privileges. This results in unauthorized disclosure of sensitive information.

Affected Systems

Affected vendors and versions include n8n‑io n8n prior to version 2.6.4 and version 1.123.23. The flaw is present only when an external secrets vault is configured, and the user must be able to guess or know the target secret's name.

Risk and Exploitability

The flaw carries a CVSS score of 7.3, indicating high severity, but an EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker requires valid credentials, the ability to create or edit credentials, and knowledge of a secret name. Because the attack takes place within the n8n instance, the impact is confined to the secrets stored in the connected vault, but it can potentially compromise any sensitive data exposed through that vault.

Generated by OpenCVE AI on March 27, 2026 at 20:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to n8n version 1.123.23, 2.6.4, or later.
  • If an immediate upgrade is not possible, restrict n8n access to fully trusted users only.
  • Alternatively, disable the external secrets integration until the patch can be applied.

Generated by OpenCVE AI on March 27, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fxcw-h3qj-8m8p n8n Has External Secrets Authorization Bypass in Credential Saving
History

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared N8n
N8n n8n
Vendors & Products N8n
N8n n8n

Wed, 25 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. Prior to versions 2.6.4 and 1.123.23, an authenticated user without permission to list external secrets could reference a secret by the external name in a credential and retrieve its plaintext value when saving the credential. This bypassed the `externalSecret:list` permission check and allowed access to secrets stored in connected vaults without admin or owner privileges. This issue requires the instance to have an external secrets vault configured. The attacker must know or be able to guess the name of a target secret. The issue has been fixed in n8n versions 1.123.23 and 2.6.4. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Restrict n8n access to fully trusted users only, and/or disable external secrets integration until the patch can be applied. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Title n8n Has External Secrets Authorization Bypass in Credential Saving
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

N8n N8n
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-28T01:32:07.841Z

Reserved: 2026-03-23T17:34:57.559Z

Link: CVE-2026-33722

cve-icon Vulnrichment

Updated: 2026-03-28T01:31:59.973Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T19:16:51.153

Modified: 2026-03-27T19:34:18.007

Link: CVE-2026-33722

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:28:14Z

Weaknesses