n8n before 2.28.1 contains an information disclosure vulnerability where external secrets are incorrectly resolved in workflow node expressions outside credentials scope. Authenticated project editors can read plaintext external secret values by referencing them in node expressions without requiring explicit secrets access permissions.
Metrics
Affected Vendors & Products
References
History
Wed, 15 Jul 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 15 Jul 2026 12:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | n8n before 2.28.1 contains an information disclosure vulnerability where external secrets are incorrectly resolved in workflow node expressions outside credentials scope. Authenticated project editors can read plaintext external secret values by referencing them in node expressions without requiring explicit secrets access permissions. | |
| Title | n8n - External Secrets Disclosure via Workflow Node Expressions | |
| First Time appeared |
N8n
N8n n8n |
|
| Weaknesses | CWE-639 | |
| CPEs | cpe:2.3:a:n8n:n8n:*:*:*:*:enterprise:node.js:*:* | |
| Vendors & Products |
N8n
N8n n8n |
|
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: VulnCheck
Published: 2026-07-15T11:25:34.866Z
Updated: 2026-07-15T13:25:43.797Z
Reserved: 2026-07-04T12:17:14.301Z
Link: CVE-2026-59254
Updated: 2026-07-15T13:20:06.805Z
No data.
No data.