{"data":{"id":"6797d3b4-2524-4ad9-8c04-6d2c61887644","title":"GHSA-fxcw-h3qj-8m8p: n8n Has External Secrets Authorization Bypass in Credential Saving","summary":"n8n, a workflow automation tool, had a security flaw where authenticated users without permission could bypass authorization checks and access plaintext values of external secrets (credentials stored in connected vaults) by guessing secret names. This vulnerability only affects instances with external vaults configured and requires the attacker to be a valid user who knows the target secret's name.","solution":"The issue has been fixed in n8n versions 1.123.23 and 2.6.4. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators can temporarily restrict n8n access to fully trusted users only or disable external secrets integration until the patch can be applied, though these workarounds do not fully remediate the risk.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-fxcw-h3qj-8m8p","publishedAt":"2026-03-25T22:05:44.000Z","cveId":"CVE-2026-33722","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["n8n@>= 2.0.0-rc.0, < 2.6.4 (fixed: 2.6.4)","n8n@< 1.123.23 (fixed: 1.123.23)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["n8n"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-03-25T22:05:44.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":["AML.T0010"]}}