Description
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with a valid API key scoped to variable:list could read variables from projects they are not a member of by supplying an arbitrary projectId query parameter to the public API variables endpoint. The handler queried the variables repository directly without enforcing project membership checks, bypassing the authorization-aware service layer used by the internal enterprise controller. If variables were misused to store sensitive information such as credentials or tokens, they should be rotated immediately. This issue only affects licensed enterprise or team deployments with multiple projects and the variables feature enabled. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.
Published: 2026-05-04
Score: 6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an authenticated API user who possesses a key with the variable:list permission to retrieve workflow variables from any project by supplying an arbitrary projectId in the public API variables endpoint. Because the endpoint bypasses the normal authorization checks, an attacker can read variables that may contain sensitive data such as credentials or tokens, resulting in data leakage.

Affected Systems

n8n‑io’s n8n platform, versions older than 1.123.32, 2.17.4, and 2.18.1. The issue applies only to licensed enterprise or team deployments that host multiple projects and have the variables feature enabled.

Risk and Exploitability

The CVSS score of 6 indicates a moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. A legitimate user with a variable:list scoped API key can exploit the flaw by calling the public API with a crafted projectId, thereby bypassing project membership checks. The attack requires no additional privileges beyond the API key scope and can lead to exposure of sensitive configuration data.

Generated by OpenCVE AI on May 4, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to n8n version 1.123.32 or later, or 2.17.4/2.18.1;
  • Rotate any credentials or tokens that may have been stored in variables exposed by the attack;
  • Restrict or revoke API keys that possess the variable:list permission until a secure implementation is confirmed;

Generated by OpenCVE AI on May 4, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with a valid API key scoped to variable:list could read variables from projects they are not a member of by supplying an arbitrary projectId query parameter to the public API variables endpoint. The handler queried the variables repository directly without enforcing project membership checks, bypassing the authorization-aware service layer used by the internal enterprise controller. If variables were misused to store sensitive information such as credentials or tokens, they should be rotated immediately. This issue only affects licensed enterprise or team deployments with multiple projects and the variables feature enabled. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.
Title n8n: Public API Variables IDOR Allows Cross-Project Secret Disclosure
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-04T18:26:18.419Z

Reserved: 2026-04-25T05:37:12.117Z

Link: CVE-2026-42227

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T19:16:04.743

Modified: 2026-05-04T19:16:04.743

Link: CVE-2026-42227

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T20:30:08Z

Weaknesses