CVE-2026-59209
Received Received - Intake

Information Disclosure in n8n Workflow Automation

Vulnerability report for CVE-2026-59209, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

n8n is an open source workflow automation platform. Prior to 1.123.61, 2.27.4, and, 2.28.1, an authenticated member with use-only editor access to a shared workflow could read credential-populated headers exposed via the $request object inside an HTTP Request node's pagination expression and exfiltrate the secret through item data. This issue is fixed in versions 1.123.61, 2.27.4, and 2.28.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 9 associated CPEs
Vendor Product Version / Range
n8n-io n8n 1.123.61
n8n-io n8n 2.27.4
n8n-io n8n 2.28.1
n8n-io n8n to 1.123.61 (exc)
n8n-io n8n to 2.27.4 (exc)
n8n-io n8n to 2.28.1 (exc)
n8n n8n to 1.123.61 (inc)
n8n n8n to 2.27.4 (inc)
n8n n8n to 2.28.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59209 is a vulnerability in n8n, an open-source workflow automation platform. It allows an authenticated user with editor access to a shared workflow to read credential-populated headers that are exposed via the $request object inside an HTTP Request node's pagination expression.

Specifically, when an HTTP Header Auth credential is used in a paginated request, the secret credential is exposed in the $request.headers object during the evaluation of the pagination expression. An attacker can craft a user-controlled expression to access this secret, copy it into item data, and then exfiltrate it through a subsequent HTTP Request node.

This issue affects instances where the expression engine is set to VM mode and paginated HTTP Request workflows with shared credentials are accessible to non-owner users. The vulnerability has been fixed in n8n versions 1.123.61, 2.27.4, and 2.28.1.

Impact Analysis

This vulnerability can lead to the unauthorized disclosure of sensitive credential information used in HTTP Header Auth within n8n workflows.

An attacker with editor access to a shared workflow could exfiltrate these secrets, potentially allowing them to access protected resources or services that rely on those credentials.

Because the attack requires only low complexity and no user interaction, it poses a significant confidentiality risk to affected systems.

Detection Guidance

This vulnerability can be detected by identifying if your n8n instance is running a vulnerable version prior to 1.123.61, 2.27.4, or 2.28.1 and if there are shared workflows with HTTP Request nodes using paginated requests that include credential-populated headers.

Specifically, detection involves checking for workflows where an authenticated user with editor access might have the ability to use pagination expressions that expose $request.headers containing sensitive credential information.

There are no explicit commands provided in the resources to detect this vulnerability on your system or network.

Mitigation Strategies

Immediate mitigation steps include upgrading n8n to a fixed version: 1.123.61, 2.27.4, or 2.28.1.

Until you can upgrade, restrict workflow sharing to trusted users only.

Avoid sharing credentials with untrusted users in workflows that use paginated HTTP Request nodes.

Compliance Impact

This vulnerability allows an authenticated user with editor access to a shared workflow to exfiltrate credential-populated headers, which are sensitive secrets. Such unauthorized disclosure of credentials can lead to data breaches involving confidential information.

Because the vulnerability impacts confidentiality by exposing sensitive credentials, it could negatively affect compliance with data protection standards and regulations such as GDPR and HIPAA, which require safeguarding sensitive data and preventing unauthorized access or disclosure.

Mitigations include restricting workflow sharing to trusted users and avoiding sharing credentials with untrusted users in workflows using paginated HTTP Request nodes, which can help maintain compliance until patched versions are applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59209. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart