Authorization Flaws in n8n Workflow Automation Platform
CVE-2026-33663
What is CVE-2026-33663?
The n8n workflow automation platform has a vulnerability that allows an authenticated user with the 'global:member' role to exploit authorization flaws in its credential pipeline. This can lead to the unauthorized retrieval of plaintext secrets from generic HTTP credentials, such as those used for HTTP Basic Authentication, HTTP Header Authentication, and HTTP Query Authentication. The issue is rooted in a name-based credential resolution mechanism that fails to properly enforce ownership restrictions and a weakness in the permissions check that bypasses validation for certain credential types. The flaws enable a malicious user to execute workflows that decrypt and use other users' credentials without permission. This issue, identified in the Community Edition, has been addressed in versions 1.123.27, 2.13.3, and 2.14.1. Users are encouraged to upgrade to these versions to safeguard their credentials, while temporary mitigations like restricting access and rotating sensitive credentials should only be considered as short-term measures.
Affected Version(s)
n8n < 1.123.27 < 1.123.27
n8n >= 2.0.0-rc.0, < 2.13.3 < 2.0.0-rc.0, 2.13.3
n8n = 2.14.0 = 2.14.0