CVE-2026-42227

MEDIUM

n8n: Public API Variables IDOR Allows Cross-Project Secret Disclosure

Title source: cna

Description

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with a valid API key scoped to variable:list could read variables from projects they are not a member of by supplying an arbitrary projectId query parameter to the public API variables endpoint. The handler queried the variables repository directly without enforcing project membership checks, bypassing the authorization-aware service layer used by the internal enterprise controller. If variables were misused to store sensitive information such as credentials or tokens, they should be rotated immediately. This issue only affects licensed enterprise or team deployments with multiple projects and the variables feature enabled. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/n8n-io/n8n/security/advisories/GHSA-756q-gq9h-fp22

Scores

CVSS v3 6.5

EPSS 0.0003

EPSS Percentile 10.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (8)

n8n/n8n 2.18.0

n8n/n8n < 1.123.32

n8n-io/n8n < 1.123.32

n8n-io/n8n >= 2.17.0, < 2.17.4

n8n-io/n8n >= 2.18.0, < 2.18.1

npm/n8n 0 - 1.123.32npm

npm/n8n 2.0.0 - 2.17.4npm

npm/n8n 2.18.0 - 2.18.1npm

Published May 04, 2026

Tracked Since May 05, 2026