GHSA-fxcw-h3qj-8m8p: n8n Has External Secrets Authorization Bypass in Credential Saving
Summary
n8n, a workflow automation tool, had a security flaw where authenticated users without permission could bypass authorization checks and access plaintext values of external secrets (credentials stored in connected vaults) by guessing secret names. This vulnerability only affects instances with external vaults configured and requires the attacker to be a valid user who knows the target secret's name.
Solution / Mitigation
The issue has been fixed in n8n versions 1.123.23 and 2.6.4. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators can temporarily restrict n8n access to fully trusted users only or disable external secrets integration until the patch can be applied, though these workarounds do not fully remediate the risk.
Vulnerability Details
EPSS: 0.0%
Yes
March 25, 2026
Classification
Taxonomy References
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-fxcw-h3qj-8m8p
First tracked: March 25, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 75%