CVE-2026-59254

Summary

n8n before 2.28.1 contains an information disclosure vulnerability where external secrets are incorrectly resolved in workflow node expressions outside credentials scope. Authenticated project editors can read plaintext external secret values by referencing them in node expressions without requiring explicit secrets access permissions.

Affected Software

VendorProductVersion RangeStatus
n8nn8n0 < 2.28.1affected
n8nn8n2.28.1unaffected
n8nn8n0 < 2.27.4affected
n8nn8n2.27.4unaffected

Weaknesses

  • CWE-639: Authorization Bypass Through User-Controlled Key

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References