Improper Authorization in n8n - #VU135230
Published: June 25, 2026
n8n
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the external secrets expression validation logic when processing credential expressions. A remote user can embed external secret references in forms the validation does not detect to disclose sensitive information.
Only instances with an external secrets provider configured and Advanced Permissions enabled are vulnerable.