{"data":{"id":"00d54b06-89bf-44d4-a6b1-269c238129b4","title":"GHSA-m63j-689w-3j35: n8n is Vulnerable to Credential Theft via Name-Based Resolution and Permission Checker Bypass in Community Edition","summary":"n8n Community Edition has a security flaw where authenticated users with basic permissions can steal plaintext secrets from other users' HTTP credentials (like basic auth or header auth) by exploiting flaws in how credentials are looked up and validated. This happens because the system doesn't properly check who owns a credential and skips security checks for generic HTTP credential types, though this only affects Community Edition and not the paid Enterprise version.","solution":"Upgrade to n8n version 1.123.27, 2.13.3, or 2.14.1 or later. If upgrading is not immediately possible, administrators should restrict instance access to fully trusted users only and audit stored credentials to rotate any generic HTTP credentials (`httpBasicAuth`, `httpHeaderAuth`, `httpQueryAuth`) that may have been exposed, though these workarounds do not fully remediate the risk.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-m63j-689w-3j35","publishedAt":"2026-03-25T21:08:33.000Z","cveId":"CVE-2026-33663","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["n8n@>= 2.0.0-rc.0, < 2.13.3 (fixed: 2.13.3)","n8n@= 2.14.0 (fixed: 2.14.1)","n8n@< 1.123.27 (fixed: 1.123.27)"],"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["n8n"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-03-25T21:08:33.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":["AML.T0010"]}}