Authentication Bypass in n8n Workflow Automation Platform
CVE-2026-33722

7.3HIGH

Key Information:

Vendor: N8n-io
Status: N8n
Vendor: CVE Published:; 25 March 2026

What is CVE-2026-33722?

The n8n workflow automation platform had a significant flaw that affected its external secrets management functionality. Prior to versions 2.6.4 and 1.123.23, authenticated users lacking permission to list external secrets could exploit a weakness by referencing a secret using its external name within a credential. This breach allowed them to retrieve the plaintext value of the secret without the necessary permissions, effectively bypassing the intended security controls. It is crucial for organizations using n8n to upgrade to the latest versions to mitigate this vulnerability. Temporary mitigations, such as limiting n8n usage to trusted users and disabling the external secrets feature, can help reduce risk until the update is applied.

Affected Version(s)

n8n < 1.123.23 < 1.123.23

n8n >= 2.0.0-rc.0, < 2.6.4 < 2.0.0-rc.0, 2.6.4

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-fx...

x_refsource_CONFIRM

CVSS V4

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 25, 2026
Vulnerability Reserved
Mar 23, 2026

CVE-2026-33722 Data

JSON

N8n-io

What is CVE-2026-33722?

Affected Version(s)

References

CVSS V4

Timeline