CVE-2026-59254
Received Received - Intake

Information Disclosure in n8n Workflow Node Expressions

Vulnerability report for CVE-2026-59254, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: VulnCheck

Description

n8n before 2.28.1 contains an information disclosure vulnerability where external secrets are incorrectly resolved in workflow node expressions outside credentials scope. Authenticated project editors can read plaintext external secret values by referencing them in node expressions without requiring explicit secrets access permissions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
n8n n8n to 2.28.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

n8n before version 2.28.1 has an information disclosure vulnerability where external secrets can be read in plaintext by authenticated project editors. This happens when secrets are referenced in node expressions outside their intended credentials scope, bypassing access controls.

Impact Analysis

Authenticated users with project editor access could read sensitive external secret values, such as API keys or passwords, even without explicit secrets permissions. This may lead to unauthorized access to systems or data protected by those secrets.

Compliance Impact

This vulnerability could result in unauthorized access to personal or sensitive data, potentially violating GDPR (data protection) and HIPAA (health information privacy) requirements. Organizations may face compliance violations and legal consequences if exploited.

Detection Guidance

Check n8n version with: n8n --version. If below 2.27.4 or 2.28.1, the system is vulnerable. Review workflow node expressions for unauthorized secret references. Inspect logs for unusual access patterns to external secrets.

Mitigation Strategies

Upgrade n8n to version 2.27.4 or 2.28.1 or later. Restrict project editor access to trusted users only. Disable external secrets if not required. Monitor for unauthorized secret access attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59254. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart