Information disclosure in n8n - #VU137159
Published: July 8, 2026
n8n
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in execution data for LLM sub-nodes when storing custom header credential values during workflow runs. A remote user can read execution data to disclose sensitive information.
This issue only affects instances where workflows use LLM sub-nodes with custom headers defined in their credentials. Because execution data can be persisted to the database and exported, exposed values may remain accessible beyond a single execution.