CVE-2026-42226

HIGH

n8n: Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay

Title source: cna

Description

n8n is an open source workflow automation platform. Prior to versions 1.123.33 and 2.17.5, the dynamic-node-parameters endpoints did not verify whether the authenticated caller was authorized to use a supplied credential reference. An authenticated user with access to a shared workflow could supply a foreign credential ID in the request body, causing the backend to decrypt and use that credential in a helper execution path where the caller also controls the destination URL. This allowed the caller to force the backend to authenticate against attacker-controlled infrastructure using a credential belonging to another user, effectively exfiltrating a reusable API key. The issue is not limited to any single node type; any node that resolves credentials dynamically through these endpoints may be affected. This issue has been patched in versions 1.123.33, 2.17.5, and 2.18.0.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/n8n-io/n8n/security/advisories/GHSA-r4v6-9fqc-w5jr

Scores

CVSS v3 7.5

EPSS 0.0006

EPSS Percentile 17.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (5)

n8n/n8n < 1.123.33

n8n-io/n8n < 1.123.33

n8n-io/n8n >= 2.17.0, < 2.17.5

npm/n8n 0 - 1.123.33npm

npm/n8n 2.17.0 - 2.17.5npm

Published May 04, 2026

Tracked Since May 05, 2026