{"data":{"id":"f4701504-bf31-4f2c-a8ca-06f443d63a59","title":"GHSA-756q-gq9h-fp22: n8n has Public API Variables IDOR that Allows Cross-Project Secret Disclosure","summary":"n8n, a workflow automation tool, had a security flaw where authenticated users with an API key could read variables (data storage containers) from projects they shouldn't have access to by manipulating a query parameter, potentially exposing secrets like passwords or tokens. This vulnerability only affected enterprise or team deployments with multiple projects enabled.","solution":"The issue has been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should restrict n8n access and API key issuance to fully trusted users only, and audit existing project variables for sensitive values and rotate any secrets that may have been exposed (though these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures).","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-756q-gq9h-fp22","publishedAt":"2026-04-29T21:21:00.000Z","cveId":"CVE-2026-42227","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["data_extraction"],"issueType":"vulnerability","affectedPackages":["n8n@>= 2.0.0, < 2.17.4 (fixed: 2.17.4)","n8n@>= 2.18.0, < 2.18.1 (fixed: 2.18.1)","n8n@< 1.123.32 (fixed: 1.123.32)"],"affectedVendors":[],"affectedVendorsRaw":["n8n"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-04-29T21:21:00.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}