GHSA-756q-gq9h-fp22

Suggest an improvement
Source
https://github.com/advisories/GHSA-756q-gq9h-fp22
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-756q-gq9h-fp22/GHSA-756q-gq9h-fp22.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-756q-gq9h-fp22
Aliases
  • CVE-2026-42227
Published
2026-04-29T21:21:00Z
Modified
2026-05-08T01:49:48.683023Z
Severity
  • 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
  • 6.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
n8n has Public API Variables IDOR that Allows Cross-Project Secret Disclosure
Details

Impact

An authenticated user with a valid API key scoped to variable:list could read variables from projects they are not a member of by supplying an arbitrary projectId query parameter to the public API variables endpoint. The handler queried the variables repository directly without enforcing project membership checks, bypassing the authorization-aware service layer used by the internal enterprise controller.

If variables were misused to store sensitive information such as credentials or tokens, they should be rotated immediately.

This issue only affects licensed enterprise or team deployments with multiple projects and the variables feature enabled.

Patches

The issue has been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users should upgrade to one of these versions or later to remediate the vulnerability.

Workarounds

If upgrading is not immediately possible, administrators should consider the following temporary mitigations:

  • Restrict n8n access and API key issuance to fully trusted users only.
  • Audit existing project variables for sensitive values and rotate any secrets that may have been exposed.

These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-29T21:21:00Z",
    "cwe_ids": [
        "CWE-639"
    ],
    "severity": "MODERATE",
    "nvd_published_at": "2026-05-04T19:16:04Z"
}
References

Affected packages

npm / n8n

Package

Name
n8n
View open source insights on deps.dev
Purl
pkg:npm/n8n

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.123.32

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-756q-gq9h-fp22/GHSA-756q-gq9h-fp22.json"

npm / n8n

Package

Name
n8n
View open source insights on deps.dev
Purl
pkg:npm/n8n

Affected ranges

Type
SEMVER
Events
Introduced
2.18.0
Fixed
2.18.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-756q-gq9h-fp22/GHSA-756q-gq9h-fp22.json"

npm / n8n

Package

Name
n8n
View open source insights on deps.dev
Purl
pkg:npm/n8n

Affected ranges

Type
SEMVER
Events
Introduced
2.0.0
Fixed
2.17.4

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-756q-gq9h-fp22/GHSA-756q-gq9h-fp22.json"