{"data":{"id":"a52e3144-b1e5-463f-982e-d1ee78b27c3a","title":"GHSA-r4v6-9fqc-w5jr: n8n's Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay","summary":"n8n (a workflow automation tool) had a security flaw where authenticated users could steal API keys belonging to other users by exploiting the `dynamic-node-parameters` endpoints (parts of the system that handle credential references). An attacker with access to a shared workflow could submit another user's credential ID and trick the backend into sending that credential to a server the attacker controls, allowing them to capture and reuse the stolen API key.","solution":"The issue has been fixed in n8n version 2.18.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should restrict n8n access to fully trusted users only and avoid sharing workflows with users who should not have access to the credentials those workflows reference. The source notes these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-r4v6-9fqc-w5jr","publishedAt":"2026-04-29T21:22:26.000Z","cveId":"CVE-2026-42226","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["data_extraction"],"issueType":"vulnerability","affectedPackages":["n8n@< 1.123.33 (fixed: 1.123.33)","n8n@>= 2.17.0, < 2.17.5 (fixed: 2.17.5)"],"affectedVendors":[],"affectedVendorsRaw":["n8n"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-04-29T21:22:26.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}