Information Disclosure in n8n Affected by External Secret Mismanagement
CVE-2026-59254
6.3MEDIUM
What is CVE-2026-59254?
The n8n automation tool, prior to version 2.28.1, suffers from an information disclosure vulnerability that arises when external secrets are improperly resolved within workflow node expressions. This flaw permits authenticated project editors to access sensitive plaintext external secret values by utilizing them in node expressions without adequately obtaining the permission to access those secrets. Consequently, this oversight poses a significant risk as sensitive information can be exposed, leading to potential misuse and further security issues.
Affected Version(s)
n8n 0 < 2.28.1
n8n 0 < 2.27.4
n8n 2.28.1
