CVE-2026-42226
Credential Exfiltration in n8n Workflow Automation
Publication date: 2026-05-04
Last updated on: 2026-05-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| n8n | n8n | to 1.123.33 (exc) |
| n8n | n8n | From 2.17.0 (inc) to 2.17.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the n8n workflow automation platform prior to versions 1.123.33 and 2.17.5. The issue is that the dynamic-node-parameters endpoints did not properly verify if an authenticated user was authorized to use a credential reference they supplied. As a result, an authenticated user with access to a shared workflow could provide a credential ID belonging to another user. This caused the backend to decrypt and use that foreign credential in a helper execution path, where the user also controls the destination URL.
This flaw allowed the attacker to force the backend to authenticate against attacker-controlled infrastructure using another user's credential, effectively exfiltrating a reusable API key. The vulnerability is not limited to any single node type but affects any node that resolves credentials dynamically through these endpoints.
The issue has been fixed in versions 1.123.33, 2.17.5, and 2.18.0.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to credentials belonging to other users within the n8n platform. An attacker who is authenticated and has access to a shared workflow can exfiltrate reusable API keys by tricking the backend into using those credentials to authenticate against attacker-controlled infrastructure.
The impact includes potential compromise of sensitive API keys, which could be used to access external services or data, leading to data breaches, unauthorized actions, or further exploitation within connected systems.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade n8n to version 1.123.33, 2.17.5, 2.18.0 or later, where the issue has been patched.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated user to exfiltrate reusable API keys belonging to other users by exploiting improper authorization checks on credential references. Such unauthorized access and potential data exposure could lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over access to sensitive information and credentials.
By enabling attackers to misuse credentials and potentially access or manipulate protected data or services, the vulnerability undermines confidentiality and integrity requirements essential for compliance with these standards.