Information Disclosure in n8n Affected by External Secret Mismanagement
CVE-2026-59254

6.3MEDIUM

Key Information:

Vendor

N8n

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-59254?

The n8n automation tool, prior to version 2.28.1, suffers from an information disclosure vulnerability that arises when external secrets are improperly resolved within workflow node expressions. This flaw permits authenticated project editors to access sensitive plaintext external secret values by utilizing them in node expressions without adequately obtaining the permission to access those secrets. Consequently, this oversight poses a significant risk as sensitive information can be exposed, leading to potential misuse and further security issues.

Affected Version(s)

n8n 0 < 2.28.1

n8n 0 < 2.27.4

n8n 2.28.1

References

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.