Improper Authorization in n8n - #VU135230

 

Improper Authorization in n8n - #VU135230

Published: June 25, 2026


Vulnerability identifier: #VU135230
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: n8n
Affected software:
n8n

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the external secrets expression validation logic when processing credential expressions. A remote user can embed external secret references in forms the validation does not detect to disclose sensitive information.

Only instances with an external secrets provider configured and Advanced Permissions enabled are vulnerable.


Remediation

Install security update from vendor's website.

Sources